Skip to content
This repository has been archived by the owner. It is now read-only.

Backdoored dependency? flatmap-stream-0.1.1 and flatmap-stream-0.1.2 #115

Open
NewEraCracker opened this issue Nov 19, 2018 · 40 comments
Open

Backdoored dependency? flatmap-stream-0.1.1 and flatmap-stream-0.1.2 #115

NewEraCracker opened this issue Nov 19, 2018 · 40 comments

Comments

@NewEraCracker
Copy link

@NewEraCracker NewEraCracker commented Nov 19, 2018

I'm using version 3.3.6 of this module. flatmap-stream was added by this commit:
e316336

The new updates to the package on npm are very suspicious.

0.1.0: https://registry.npmjs.org/flatmap-stream/-/flatmap-stream-0.1.0.tgz
0.1.1: https://registry.npmjs.org/flatmap-stream/-/flatmap-stream-0.1.1.tgz
0.1.2: https://registry.npmjs.org/flatmap-stream/-/flatmap-stream-0.1.2.tgz

Regards.

@kevinburke
Copy link

@kevinburke kevinburke commented Nov 26, 2018

If you're reading this, it looks like the solution for the moment is to downgrade to 3.3.4 (which does not have the vulnerability) until npm support can grant permission to a new owner who won't inject compromised packages.

@funny-falcon
Copy link

@funny-falcon funny-falcon commented Nov 26, 2018

Thrre were no bad intentions:
#73

@kevinburke
Copy link

@kevinburke kevinburke commented Nov 26, 2018

per the description linked here: #116 (comment)

the package attempts to steal Bitcoin from an installed Bitcoin wallet, so yes, it does seem like there were really bad intentions!!!

@funny-falcon
Copy link

@funny-falcon funny-falcon commented Nov 26, 2018

I mean flatmap-stream were added to this repository not to steal bitcoins but to implement functionality. @right9ctrl just didn't know flatmap were malicious.

@nic-hartley
Copy link

@nic-hartley nic-hartley commented Nov 26, 2018

@funny-falcon Sure, that's why an utterly unknown package was used for flatmap instead of going with any of the many, many popular libraries which already provide it (lodash springs to mind instantly, but I'm 100% sure there are plenty of others). A package which had literally zero downloads before being integrated into event-stream. That's why the major version was bumped immediately afterwards without invalidating the old minor release which introduced the attack.

Sure. You keep believing it was unintentional. Whatever you say. I bet you're not even a sockpuppet.

@supernintendo
Copy link

@supernintendo supernintendo commented Nov 26, 2018

@funny-falcon @right9ctrl deliberately added an older version of flatmap-stream that contained the malicious code. But whether this was intentional or a mistake is irrelevant. You can kill me in cold blood or as an unintentional casualty; either way I’m dead and want nothing to do with you.

@funny-falcon
Copy link

@funny-falcon funny-falcon commented Nov 26, 2018

All kinds of justice distinguish intentional and unintentional murders.

@cmawhorter
Copy link

@cmawhorter cmawhorter commented Nov 26, 2018

maybe someone has a better way, but to scan for flatmap:

find ~/ -path */node_modules/flatmap-stream/package.json

and plug the results into:

const paths = `/Users/blah/.../node_modules/flatmap-stream/package.json
/Users/blah/.../node_modules/flatmap-stream/package.json
/Users/blah/.../node_modules/flatmap-stream/package.json`;
paths.split(/\n/g).forEach(p => {
	const pkg = require(p.trim());
	console.log(pkg.version, p);
});

and look for 0.1.1 (i think?)

@supernintendo
Copy link

@supernintendo supernintendo commented Nov 26, 2018

@funny-falcon Are you intentionally being obtuse or are you that much of a fucking idiot? It's called an analogy. We're obviously talking about open source code, not the justice system or due process. One of two scenarios are at play here:

  1. @right9ctrl intentionally added the malicious dependency.
  2. @right9ctrl unintentionally added the malicious dependency.

Either way, this person put others at risk by adding a version of flatmap-stream containing the malicious code. The library contains less than 200 lines of JS. I honestly hope @right9ctrl was being malicious because if this is the work of a legitimate developer trying to maintain a package used by hundreds of thousands of projects, then I'm done with JavaScript. The community has reached a new low if this was truly an honest mistake.

But personally @funny-falcon, I'm not one to blindly follow Hanlon's razor. If you want to convince me (and others) that this was not a malicious act, please provide better arguments than simply spamming "no bad intentions" in every thread. You look naive at best and suspect at worst.

@kevinburke
Copy link

@kevinburke kevinburke commented Nov 26, 2018

It's not really appropriate to use that language nor to attack someone directly like that. Criticize the argument sure not the person.

@NewEraCracker
Copy link
Author

@NewEraCracker NewEraCracker commented Nov 27, 2018

Can someone put a security notice on npm if there isn't any yet? That would be valuable.

@justrhysism
Copy link

@justrhysism justrhysism commented Nov 27, 2018

Can someone put a security notice on npm if there isn't any yet? That would be valuable.

As I understand it, NPM have already removed the package. But it might still be sitting in your cache.

@grantila
Copy link

@grantila grantila commented Nov 27, 2018

@right9ctrl also forked node-scrypt which is used by coin and mining software, and in the fork changed already unsafe code (invalid memory reads) into just differently unsafe code.

And a certain person assuming "no bad intentions", is as @supernintendo said, "naive at best and suspect at worst"

@kseebrinegar
Copy link

@kseebrinegar kseebrinegar commented Nov 27, 2018

crazy.

@yoyo837
Copy link

@yoyo837 yoyo837 commented Nov 27, 2018

@right9ctrl Crazy...

dpilafian added a commit to center-key/gulp-node-slate that referenced this issue Nov 27, 2018
@funny-falcon
Copy link

@funny-falcon funny-falcon commented Nov 27, 2018

@supernintendo , first, you are really polite. Thank you for calling me fucking idiot. That really shows your level.

Second, with my claim I added link to the issue about flatmap functionality in this library opened three years ago and closed three months ago by @right9ctrl. That is why I claim that it was huge and unforgettable mistake, but just mistake.

Third, if you, @supernintendo, never made any mistake, then you are totally right... But there is no single man who never did mistakes.

Forth, leftpad happened more than two years ago, but people still import libraries for dozen line of codes. That is npm tradition. Obviously @right9ctrl just followed tradition. Given malicious code is present only in minified version of library, it is clear to me he didn't notice that malware. Do you check minified versions of all libraries you imported to your project? I really doubt.
And it is npm issue: npm should not allow publishing of minified versions. It should allow to publish public visible well readable versions.

"let him who is without sin cast the first stone" - spoked one great man. Don't forget this sentence.

@whevether
Copy link

@whevether whevether commented Nov 27, 2018

@funny-falcon You're a good cooker. pot

@y-chen
Copy link

@y-chen y-chen commented Nov 27, 2018

Hello, I clone a my node repository that I wasn't using from a while and now I'm facing a 404 error on flatmap-stream-0.1.1 that I'm not using directly.

I already tried to delete node_modules folder, clean cache and npm install (also update) but unsuccessfully.

How can I make my project run again?

@kevinpiac
Copy link

@kevinpiac kevinpiac commented Nov 27, 2018

@y-chen
Copy link

@y-chen y-chen commented Nov 27, 2018

@kevinpiac what should I run? I haven't event-stream in my package.json .

npm install event-stream ?

Thanks

@kevinpiac
Copy link

@kevinpiac kevinpiac commented Nov 27, 2018

@y-chen If you are using npm version 5 or newer, running npm i should generate a package-lock.json file. This file contains event-stream since it's a peer dependency of your project. Update it to 3.3.5 (last version before the backdoor) and run npm i again. This did the trick for me.

@aichholzer
Copy link

@aichholzer aichholzer commented Nov 27, 2018

Morale of the story:

Write your own code and don't ever blindly trust your source.

@whtsky whtsky mentioned this issue Feb 7, 2019
0 of 2 tasks complete
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet