Crypto-coin-stealing code sneaks into fairly popular NPM library

I’m not particularly into either npm (the JavaScript dependency library and installer) or cryptocoins (approximately “Bitcoins”), but I was talking some fellow WordPress developers and this pretty interesting and complex security story came up. The summary is this:

On September 9, right9control added flatmap-stream as a dependency to event-stream, and then on September 16, removed the dependency by implementing the code themselves. However, this latter change was not automatically pushed out to the library’s users. On October 5, flatmap-stream was altered by a user called “hugeglass” to include obfuscated code that attempted to drain Bitcoins from wallets using the software.

Thus, anyone using event-stream and pulling in the cursed flatmap-stream, rather than the rewritten code, since October 5 would be potentially hit by the malicious script. The offending code has been removed from event-stream. If it’s any relief, the hidden malware is highly targeted, and not designed to attack every programmer or application using event-stream.

This is what’s commonly called a “supply chain attack“. It’s one of the less-common attacks a WordPress site needs to worry about, but it’s still real, and very interesting to see one in the wild. The heart problem in them is that not everyone can realistically vet all their dependencies, and the chain-of-trust in many software ecosystems is long and thus pretty weak. So it’s nearly impossible that the current state of the JavaScript ecosystem will prevent events like this. As awareness goes, I think thoughtful solutions will start to get executed. But right now it’s still quite a wild-west.

Want to know more about WordPress security? Check out our paid course on the topic, or this great free article.


Add a Comment

Your email address will not be published. Required fields are marked *