On November 20, developer Ayrton Sparling posted an issue on the GitHub repo for “event-stream” — a JavaScript package that enjoys 1-1.5 million downloads per week and is used in some rather high-profile projects. The issue, simply titled “I don’t know what to say”, outlined some suspicious behaviour that, after extensive investigation, resulted in the discovery of a bitcoin-stealing payload deviously hidden inside.
The how of the payload is a bit convoluted, but if you’d like to read the details, developer Zach Schneider has done a great job of compiling the various bits of info into a single article.
The basic explanation is that, the maintainer of event-stream gave access to someone they — in hindsight — shouldn’t have. That person then used their access to plant the code into the project, which was then distributed by “npm” — a package manager that’s the go-to source for JavaScript odds and ends.
The payload itself would try to steal bitcoin from users using the CoPay platform.
Fortunately, while event-stream is linked to various organisations, including the BBC and Microsoft, their projects were not seriously affected.
Microsoft acted quickly to determine the impact of the payload to Visual Studio Code users, ultimately ruling out major risk. In fact, it didn’t even need to patch Code, instead choosing to ban and auto-uninstall affected extensions.
So, the good news is the payload probably didn’t affect that many people. However, it has raised a lot of questions about the curation of package managers such as npm, and the JavaScript ecosystem in general.
I don’t know what to say [GitHub]
Leave a Reply
You must be logged in to post a comment.