Node.js Event-Stream Hack Reveals Open Source 'Developer Infrastructure' Exploit

'[O]n Nov. 26 it was publicly revealed that a widely deployed open-source Node.js programming language module known as event-stream had been injected with malicious code that looked to steal cryptocurrency wallets,' reports eWeek, adding 'The event-stream library has over two million downloads.'

An anonymous reader quotes Ars Technica:
The backdoor came to light [November 20th] with this report from Github user Ayrton Sparling. Officials with the NPM, the open source project manager that hosted event-stream, didn't issue an advisory until six days later.... 'This compromise was not targeting module developers in general or really even developers,' an NPM official told Ars in an email. 'It targeted a select few developers at a company, Copay, that had a very specific development environment set up. Even then, the payload itself didn't run on those developers' computers; rather, it would be packaged into a consumer-facing app when the developers built a release. The goal was to steal Bitcoin from this application's end users....'
According to the Github discussion that exposed the backdoor, the longtime event-stream developer no longer had time to provide updates. So several months ago, he accepted the help of an unknown developer. The new developer took care to keep the backdoor from being discovered. Besides being gradually implemented in stages, it also narrowly targeted only the Copay wallet app. The malicious code was also hard to spot because the flatmap-stream module was encrypted. The attack is the latest to exploit weaknesses in a widely used supply chain to target downstream end users... The supply-chain attacks show one of the weaknesses of open source code. Because of its openness and the lack of funds of many of its hobbyist developers and users, open source code can be subject to malicious modifications that often escape notice.
'The time has come,' concludes Ars Technica, 'for maintainers and users of open source software to devise new measures to better police the millions of packages being used all around us.' Sophos' security blog also asks why so many developers 'immediately and blindly trusted the new maintainer,' and shared a concerned comment from developer named Chris Northwood.
'Nothing's stopping this happening again, and it's terrifying.'

Read more of this story at Slashdot.