The newest malware vector in open source

The newest malware vector in open source ↦

As the title for the linked post from Cory Doctorow says, all you have to do is “become an admin on dormant, widely-used open source projects” and then do your thing.

Many open source projects attain a level of “maturity” where no one really needs any new features and there aren’t a lot of new bugs being found, and the contributors to these projects dwindle, often to a single maintainer who is generally grateful for developers who take an interest in these older projects and offer to share the choresome, intermittent work of keeping the projects alive.

Ironically, these are often projects with millions of users, who trust them specifically because of their stolid, unexciting maturity.

This presents a scary social-engineering vector for malware…

We’ll be talking with Dominic Tarr about the details shared in Issue #116 on event-stream later today on The Changelog (the episode will hit RSS feeds next week).

Chime in below if you’d like to add questions/thoughts to our planned discussion.

Discussion

2018-11-28T17:32:19Z ago

Another great read on the details behind this event-stream attack can be read over at Tidelift ~> https://blog.tidelift.com/event-stream-100-million-downloads-unmaintained-hacked.-now-can-we-pay-the-maintainers

The project had been largely unmaintained, seeing only 11 commits in the past three years before the attacker took over. Despite this inactivity, event-stream was still seeing nearly 2 million downloads per week, and was used by large open source projects such as Angular, Mocha, and Electron, as well as commercial codebases all over the world, including BBC News and Microsoft.

2018-11-28T17:34:08Z ago

I’d be interested in Dominic’s thoughts on sweeping low level/infrastructure projects with wide use into support organizations like Ruby Together

2018-11-28T17:52:53Z ago

@kball are there cases you’re aware of where orgs like Ruby Together took over projects like this?

2018-11-28T18:07:03Z ago

This is Tidelift & OpenCollective’s time to shine IMO. Maintainers should learn from this and have a sustainability plan built in from the get go. Really looking forward to this interview.

2018-11-28T18:14:27Z ago

I don’t see how $15/mo in donations would have prevented this problem.

2018-11-28T18:30:24Z ago

Tidelift’s model goes beyond donations to ensure packages/projects are maintained and secured. It’s an active fight to make this happen and most of Tidelift’s story and business model to “pay the maintainers” was shared by Donald Fischer on Founders Talk #58 ~> https://changelog.com/founderstalk/58

2018-11-28T18:34:04Z ago

I should also mention Pia’s episode on Founders Talk (https://changelog.com/founderstalk/52) and The Changelog (https://changelog.com/podcast/234) too for more back story on their mission and model.

2018-11-28T18:46:58Z ago

Bruce Schneier linked out to more good links to check out around this subject too:

Analysis of a supply chain attack
Dominic Tarr’s official statement on the event-stream compromise
Highly relevant commentary from Felix Krause on Twitter

2018-11-29T18:28:41Z ago

On the npm blog ~> Details about the event-stream incident

For users of the Copay app, bitpay recommends, “If you are using any version from 5.0.2 to 5.1.0, you should not run or open the Copay app.”
For npm users, you can check if your project contains the vulnerable dependency by running npm audit. If you have installed the impacted version of this event-stream, we recommend that you update to a later version as soon as possible.