This repository has been archived by the owner. It is now read-only.

Backdoored dependency? flatmap-stream-0.1.1 and flatmap-stream-0.1.2 #115

Open
NewEraCracker opened this Issue Nov 19, 2018 · 40 comments

Comments

Projects
None yet
@NewEraCracker

NewEraCracker commented Nov 19, 2018

I'm using version 3.3.6 of this module. flatmap-stream was added by this commit:
e316336

The new updates to the package on npm are very suspicious.

0.1.0: https://registry.npmjs.org/flatmap-stream/-/flatmap-stream-0.1.0.tgz
0.1.1: https://registry.npmjs.org/flatmap-stream/-/flatmap-stream-0.1.1.tgz
0.1.2: https://registry.npmjs.org/flatmap-stream/-/flatmap-stream-0.1.2.tgz

Regards.

@kevinburke

This comment has been minimized.

kevinburke commented Nov 26, 2018

If you're reading this, it looks like the solution for the moment is to downgrade to 3.3.4 (which does not have the vulnerability) until npm support can grant permission to a new owner who won't inject compromised packages.

@funny-falcon

This comment has been minimized.

funny-falcon commented Nov 26, 2018

Thrre were no bad intentions:
#73

@kevinburke

This comment has been minimized.

kevinburke commented Nov 26, 2018

per the description linked here: #116 (comment)

the package attempts to steal Bitcoin from an installed Bitcoin wallet, so yes, it does seem like there were really bad intentions!!!

@funny-falcon

This comment has been minimized.

funny-falcon commented Nov 26, 2018

I mean flatmap-stream were added to this repository not to steal bitcoins but to implement functionality. @right9ctrl just didn't know flatmap were malicious.

@nic-hartley

This comment has been minimized.

nic-hartley commented Nov 26, 2018

@funny-falcon Sure, that's why an utterly unknown package was used for flatmap instead of going with any of the many, many popular libraries which already provide it (lodash springs to mind instantly, but I'm 100% sure there are plenty of others). A package which had literally zero downloads before being integrated into event-stream. That's why the major version was bumped immediately afterwards without invalidating the old minor release which introduced the attack.

Sure. You keep believing it was unintentional. Whatever you say. I bet you're not even a sockpuppet.

@supernintendo

This comment has been minimized.

supernintendo commented Nov 26, 2018

@funny-falcon @right9ctrl deliberately added an older version of flatmap-stream that contained the malicious code. But whether this was intentional or a mistake is irrelevant. You can kill me in cold blood or as an unintentional casualty; either way I’m dead and want nothing to do with you.

@funny-falcon

This comment has been minimized.

funny-falcon commented Nov 26, 2018

All kinds of justice distinguish intentional and unintentional murders.

@cmawhorter

This comment has been minimized.

cmawhorter commented Nov 26, 2018

maybe someone has a better way, but to scan for flatmap:

find ~/ -path */node_modules/flatmap-stream/package.json

and plug the results into:

const paths = `/Users/blah/.../node_modules/flatmap-stream/package.json
/Users/blah/.../node_modules/flatmap-stream/package.json
/Users/blah/.../node_modules/flatmap-stream/package.json`;
paths.split(/\n/g).forEach(p => {
	const pkg = require(p.trim());
	console.log(pkg.version, p);
});

and look for 0.1.1 (i think?)

@supernintendo

This comment has been minimized.

supernintendo commented Nov 26, 2018

@funny-falcon Are you intentionally being obtuse or are you that much of a fucking idiot? It's called an analogy. We're obviously talking about open source code, not the justice system or due process. One of two scenarios are at play here:

  1. @right9ctrl intentionally added the malicious dependency.
  2. @right9ctrl unintentionally added the malicious dependency.

Either way, this person put others at risk by adding a version of flatmap-stream containing the malicious code. The library contains less than 200 lines of JS. I honestly hope @right9ctrl was being malicious because if this is the work of a legitimate developer trying to maintain a package used by hundreds of thousands of projects, then I'm done with JavaScript. The community has reached a new low if this was truly an honest mistake.

But personally @funny-falcon, I'm not one to blindly follow Hanlon's razor. If you want to convince me (and others) that this was not a malicious act, please provide better arguments than simply spamming "no bad intentions" in every thread. You look naive at best and suspect at worst.

@kevinburke

This comment has been minimized.

kevinburke commented Nov 26, 2018

It's not really appropriate to use that language nor to attack someone directly like that. Criticize the argument sure not the person.

@NewEraCracker

This comment has been minimized.

NewEraCracker commented Nov 27, 2018

Can someone put a security notice on npm if there isn't any yet? That would be valuable.

@justrhysism

This comment has been minimized.

justrhysism commented Nov 27, 2018

Can someone put a security notice on npm if there isn't any yet? That would be valuable.

As I understand it, NPM have already removed the package. But it might still be sitting in your cache.

@grantila

This comment has been minimized.

grantila commented Nov 27, 2018

@right9ctrl also forked node-scrypt which is used by coin and mining software, and in the fork changed already unsafe code (invalid memory reads) into just differently unsafe code.

And a certain person assuming "no bad intentions", is as @supernintendo said, "naive at best and suspect at worst"

@kseebrinegar

This comment has been minimized.

kseebrinegar commented Nov 27, 2018

crazy.

@yoyo837

This comment has been minimized.

yoyo837 commented Nov 27, 2018

@right9ctrl Crazy...

dpilafian added a commit to center-key/gulp-node-slate that referenced this issue Nov 27, 2018

@funny-falcon

This comment has been minimized.

funny-falcon commented Nov 27, 2018

@supernintendo , first, you are really polite. Thank you for calling me fucking idiot. That really shows your level.

Second, with my claim I added link to the issue about flatmap functionality in this library opened three years ago and closed three months ago by @right9ctrl. That is why I claim that it was huge and unforgettable mistake, but just mistake.

Third, if you, @supernintendo, never made any mistake, then you are totally right... But there is no single man who never did mistakes.

Forth, leftpad happened more than two years ago, but people still import libraries for dozen line of codes. That is npm tradition. Obviously @right9ctrl just followed tradition. Given malicious code is present only in minified version of library, it is clear to me he didn't notice that malware. Do you check minified versions of all libraries you imported to your project? I really doubt.
And it is npm issue: npm should not allow publishing of minified versions. It should allow to publish public visible well readable versions.

"let him who is without sin cast the first stone" - spoked one great man. Don't forget this sentence.

@whevether

This comment has been minimized.

whevether commented Nov 27, 2018

@funny-falcon You're a good cooker. pot

@funny-falcon

This comment has been minimized.

funny-falcon commented Nov 27, 2018

@christopherwxyz mistake is a fault. I agree whole issue is the damn fault.

I just saw evidence this were unintentional fault. And I prefer to think people are dumb than people are evil.

@JBaczuk

This comment has been minimized.

JBaczuk commented Nov 27, 2018

Someone wrote the code, though. Related: #116 (comment)

@spsenthilrm

This comment has been minimized.

spsenthilrm commented Nov 27, 2018

If you're reading this, it looks like the solution for the moment is to downgrade to 3.3.4 (which does not have the vulnerability) until npm support can grant permission to a new owner who won't inject compromised packages.

as per the ref link article they suggest to upgrade to 4.0.1 , can you please recommend whether to go for downgrade to 3.3.4 or 3.3.5 or upgrade to 4.0.1 Ref :
https://www.zdnet.com/article/hacker-backdoors-popular-javascript-library-to-steal-bitcoin-funds/

Akkowicz added a commit to Akkowicz/videa that referenced this issue Nov 27, 2018

moKacraft referenced this issue in moKacraft/pointeuse_back Nov 27, 2018

dockerfile still and maybe flatmap-stream
can't npm install
cant find flatmap dwngraded to eventstream 3.3.4
removed flatmap dependency
@y-chen

This comment has been minimized.

y-chen commented Nov 27, 2018

Hello, I clone a my node repository that I wasn't using from a while and now I'm facing a 404 error on flatmap-stream-0.1.1 that I'm not using directly.

I already tried to delete node_modules folder, clean cache and npm install (also update) but unsuccessfully.

How can I make my project run again?

@kevinpiac

This comment has been minimized.

kevinpiac commented Nov 27, 2018

@y-chen

This comment has been minimized.

y-chen commented Nov 27, 2018

@kevinpiac what should I run? I haven't event-stream in my package.json .

npm install event-stream ?

Thanks

@kevinpiac

This comment has been minimized.

kevinpiac commented Nov 27, 2018

@y-chen If you are using npm version 5 or newer, running npm i should generate a package-lock.json file. This file contains event-stream since it's a peer dependency of your project. Update it to 3.3.5 (last version before the backdoor) and run npm i again. This did the trick for me.

@aichholzer

This comment has been minimized.

aichholzer commented Nov 27, 2018

Morale of the story:

Write your own code and don't ever blindly trust your source.

@peduarte peduarte referenced this issue Nov 28, 2018

Closed

Unable to start #11

@w33ble w33ble referenced this issue Nov 28, 2018

Open

New maintainer #4

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.