-
Notifications
You must be signed in to change notification settings - Fork 148
Comments
@FallingSnow did you manage to work out what the attack does? |
No. I spent a better part of a day trying to get something other than gibberish out of the encrypted AES payload. I've tried executing the gibberish and it errors out. I believe there are 2 possible reasons I haven't been able to get the actual payload's code.
|
unpkg link to help other people poke around: https://unpkg.com/flatmap-stream@0.1.1/index.min.js |
he emailed me and said he wanted to maintain the module, so I gave it to him. I don't get any thing from maintaining this module, and I don't even use it anymore, and havn't for years. |
note: I no longer have publish rights to this module on npm. |
Please contact npm support and they will take care of the situation. |
npm owner ls event-stream
right9ctrl <right9ctrl@outlook.com> Transfer publishing rights to the unknown dude, but keep the repo under your username. Well done, mate 👍 |
@limonte I tried to transfer it to @right9ctrl but github errored because they already had a fork of it at http://github.com/right9ctrl/event-stream If you guys feel strongly about this, why don't you volunteer to maintain it and contact npm support? |
To know if your project is in danger, run:
The bad actor has publishing rights to Here is an example result from one of my projects:
|
@dominictarr: although I completely disagree with someone else contacting npm support, I contacted npm support myself for now. You put at risk millions of people, and making something for free, but public, means you are responsible for the package. Anyway, I don't want to argue about this, I just want the issue to be solved, because this is a popular package. |
@dominictarr Apparently, you don't want to take any responsibility for this package. That's fine, it's the free community, do whatever you want. But at least indicate somehow that you're not maintaining this repo anymore, e.g. archive the repo
|
There is a huge difference between not maintaining a repo/package, vs giving it away to a hacker (which actually takes more effort than doing nothing), then denying all responsibility to fix it when it affects millions of innocent people. |
Fixes event-stream vulnerability: dominictarr/event-stream#116
fixes vulnerability highlighted in dominictarr/event-stream#116
Fixes vulnerability: dominictarr/event-stream#116 See mysticatea/npm-run-all#150 (comment)
EDIT 26/11/2018:
Am I affected?:
If you are using anything crypto-currency related, then maybe. As discovered by @maths22, the target seems to have been identified as copay related libraries. It only executes successfully when a matching package is in use (assumed to be copay at this point). If you are using a crypto-currency related library and if you see
flatmap-stream@0.1.1
after runningnpm ls event-stream flatmap-stream
, you are most likely affected. For example:What does it do:
Other users have done some good analysis of what these payloads actually do.
What can I do:
By this time fixes are being deployed and npm has yanked the malicious version. Ensure that the developer(s) of the package you are using are aware of this post. If you are a developer update your event-stream dependency to
event-stream@3.3.4
. This protects people with cached versions of event-stream.@dominictarr Why was @right9ctrl given access to this repo? He added flatmap-stream which is entirely (1 commit to the repo but has 3 versions, the latest one removes the injection, unmaintained, created 3 months ago) an injection targeting ps-tree. After he adds it at almost the exact same time the injection is added to
flatmap-stream
, he bumps the version and publishes. Literally the second commit (3 days later) after that he removes the injection and bumps a major version so he can clear the repo of havingflatmap-stream
but still have everyone (millions of weekly installs) using 3.x affected.@right9ctrl If you removed flatmap-stream because your realized it was an injection attack why didn't you yank
event-stream@3.3.6
from npm and put a PSA? If you didn't know, why did you choose to use a completely unused/unknown library (0 downloads on npm until you use it)? If I had the exact date from npm in whichflatmap-stream@0.1.1
was published I wouldn't be asking you questions.I've included a break down of what I have so far on
flatmap-stream
below. It includes the portion of code not found in the unminified source offlatmap-stream@0.1.1
but found in the minified source. The code has been cleaned up a little to get a better understanding.The worst part is I still don't even know what this does... The decrypted data n[0] is byte code or something, not regular javascript, or maybe I'm just not handling it correctly.
The text was updated successfully, but these errors were encountered: