Cory Doctorow Boing Boing

The newest malware vector in open source  ↦

As the title for the linked post from Cory Doctorow says, all you have to do is “become an admin on dormant, widely-used open source projects” and then do your thing.

Many open source projects attain a level of “maturity” where no one really needs any new features and there aren’t a lot of new bugs being found, and the contributors to these projects dwindle, often to a single maintainer who is generally grateful for developers who take an interest in these older projects and offer to share the choresome, intermittent work of keeping the projects alive.

Ironically, these are often projects with millions of users, who trust them specifically because of their stolid, unexciting maturity.

This presents a scary social-engineering vector for malware…

We’ll be talking with Dominic Tarr about the details shared in Issue #116 on event-stream later today on The Changelog (the episode will hit RSS feeds next week).

Chime in below if you’d like to add questions/thoughts to our planned discussion.


Discussion

Sign in or join to comment

Adam Stacoviak

Adam Stacoviak

Houston, TX

Founder and Editor-in-Chief of Changelog. Hacker to the heart.

2018-11-28T17:32:19.74684Z ago

Another great read on the details behind this event-stream attack can be read over at Tidelift ~> https://blog.tidelift.com/event-stream-100-million-downloads-unmaintained-hacked.-now-can-we-pay-the-maintainers

The project had been largely unmaintained, seeing only 11 commits in the past three years before the attacker took over. Despite this inactivity, event-stream was still seeing nearly 2 million downloads per week, and was used by large open source projects such as Angular, Mocha, and Electron, as well as commercial codebases all over the world, including BBC News and Microsoft.

2018-11-28T18:07:03.391786Z ago

This is Tidelift & OpenCollective’s time to shine IMO. Maintainers should learn from this and have a sustainability plan built in from the get go. Really looking forward to this interview.

2018-11-28T18:14:27.053987Z ago

I don’t see how $15/mo in donations would have prevented this problem.

Adam Stacoviak

Adam Stacoviak

Houston, TX

Founder and Editor-in-Chief of Changelog. Hacker to the heart.

2018-11-28T18:30:24.823012Z ago

Tidelift’s model goes beyond donations to ensure packages/projects are maintained and secured. It’s an active fight to make this happen and most of Tidelift’s story and business model to “pay the maintainers” was shared by Donald Fischer on Founders Talk #58 ~> https://changelog.com/founderstalk/58

Adam Stacoviak

Adam Stacoviak

Houston, TX

Founder and Editor-in-Chief of Changelog. Hacker to the heart.

2018-11-29T18:28:41.277776Z ago

On the npm blog ~> Details about the event-stream incident

For users of the Copay app, bitpay recommends, “If you are using any version from 5.0.2 to 5.1.0, you should not run or open the Copay app.”

For npm users, you can check if your project contains the vulnerable dependency by running npm audit. If you have installed the impacted version of this event-stream, we recommend that you update to a later version as soon as possible.

0:00 / 0:00