Dominic Tarr Avatar

Dominic Tarr

The Changelog The Changelog #326

The insider perspective on the event-stream compromise

Adam and Jerod talk with Dominic Tarr, creator of event-stream, the IO library that made recent news as the latest malicious package in the npm registry. event-stream was turned malware, designed to target a very specific development environment and harvest account details and private keys from Bitcoin accounts.

They talk through Dominic’s backstory as a prolific contributor to open source, his stance on this package, his work in open source, the sequence of events around the hack, how we can and should handle maintainer-ship of open source infrastructure over the full life-cycle of the code’s usefulness, and what some best practices are for moving forward from this kind of attack.

Dominic Tarr github.com

Your web app is bloated

Using Firefox’s memory snapshot tool, Dominic Tarr measured the heap usage of a variety of web apps. The results are… not good. The biggest losers are Google properties followed closely by Slack (which is probably not a surprise). Fairing much better were GitHub (7.41MB), StackOverflow (2.55MB), and Wikipedia (1.73MB).

What struck me most is that while modern Gmail is one of the worst offenders (158MB), vintage Gmail uses just 0.81MB of memory. The ‘good ole’ days’ strike back!

0:00 / 0:00