Backdoored dependency? flatmap-stream-0.1.1 and flatmap-stream-0.1.2

[NewEraCracker]

I'm using version 3.3.6 of this module. flatmap-stream was added by this commit:
e316336

The new updates to the package on npm are very suspicious.

0.1.0: https://registry.npmjs.org/flatmap-stream/-/flatmap-stream-0.1.0.tgz
0.1.1: https://registry.npmjs.org/flatmap-stream/-/flatmap-stream-0.1.1.tgz
0.1.2: https://registry.npmjs.org/flatmap-stream/-/flatmap-stream-0.1.2.tgz

Regards.

[kevinburke]

If you're reading this, it looks like the solution for the moment is to downgrade to 3.3.4 (which does not have the vulnerability) until npm support can grant permission to a new owner who won't inject compromised packages.

[funny-falcon]

Thrre were no bad intentions:
#73

[kevinburke]

per the description linked here: #116 (comment)

the package attempts to steal Bitcoin from an installed Bitcoin wallet, so yes, it does seem like there were really bad intentions!!!

[funny-falcon]

I mean flatmap-stream were added to this repository not to steal bitcoins but to implement functionality. @right9ctrl just didn't know flatmap were malicious.

[nic-hartley]

@funny-falcon Sure, that's why an utterly unknown package was used for flatmap instead of going with any of the many, many popular libraries which already provide it (lodash springs to mind instantly, but I'm 100% sure there are plenty of others). A package which had literally zero downloads before being integrated into event-stream. That's why the major version was bumped immediately afterwards without invalidating the old minor release which introduced the attack.

Sure. You keep believing it was unintentional. Whatever you say. I bet you're not even a sockpuppet.

[supernintendo]

@funny-falcon @right9ctrl deliberately added an older version of flatmap-stream that contained the malicious code. But whether this was intentional or a mistake is irrelevant. You can kill me in cold blood or as an unintentional casualty; either way I’m dead and want nothing to do with you.

[funny-falcon]

All kinds of justice distinguish intentional and unintentional murders.

[cmawhorter]

maybe someone has a better way, but to scan for flatmap:

find ~/ -path */node_modules/flatmap-stream/package.json

and plug the results into:

const paths = `/Users/blah/.../node_modules/flatmap-stream/package.json
/Users/blah/.../node_modules/flatmap-stream/package.json
/Users/blah/.../node_modules/flatmap-stream/package.json`;
paths.split(/\n/g).forEach(p => {
	const pkg = require(p.trim());
	console.log(pkg.version, p);
});

and look for 0.1.1 (i think?)

[supernintendo]

@funny-falcon Are you intentionally being obtuse or are you that much of a fucking idiot? It's called an analogy. We're obviously talking about open source code, not the justice system or due process. One of two scenarios are at play here:

1. @right9ctrl intentionally added the malicious dependency.
2. @right9ctrl unintentionally added the malicious dependency.

Either way, this person put others at risk by adding a version of flatmap-stream containing the malicious code. The library contains less than 200 lines of JS. I honestly hope @right9ctrl was being malicious because if this is the work of a legitimate developer trying to maintain a package used by hundreds of thousands of projects, then I'm done with JavaScript. The community has reached a new low if this was truly an honest mistake.

But personally @funny-falcon, I'm not one to blindly follow Hanlon's razor. If you want to convince me (and others) that this was not a malicious act, please provide better arguments than simply spamming "no bad intentions" in every thread. You look naive at best and suspect at worst.

[kevinburke]

It's not really appropriate to use that language nor to attack someone directly like that. Criticize the argument sure not the person.

[NewEraCracker]

Can someone put a security notice on npm if there isn't any yet? That would be valuable.

[justrhysism]

Can someone put a security notice on npm if there isn't any yet? That would be valuable.

As I understand it, NPM have already removed the package. But it might still be sitting in your cache.

[grantila]

@right9ctrl also forked node-scrypt which is used by coin and mining software, and in the fork changed already unsafe code (invalid memory reads) into just differently unsafe code.

And a certain person assuming "no bad intentions", is as @supernintendo said, "naive at best and suspect at worst"

[kseebrinegar]

crazy.

[yoyo837]

@right9ctrl Crazy...

[funny-falcon]

@supernintendo , first, you are really polite. Thank you for calling me fucking idiot. That really shows your level.

Second, with my claim I added link to the issue about flatmap functionality in this library opened three years ago and closed three months ago by @right9ctrl. That is why I claim that it was huge and unforgettable mistake, but just mistake.

Third, if you, @supernintendo, never made any mistake, then you are totally right... But there is no single man who never did mistakes.

Forth, leftpad happened more than two years ago, but people still import libraries for dozen line of codes. That is npm tradition. Obviously @right9ctrl just followed tradition. Given malicious code is present only in minified version of library, it is clear to me he didn't notice that malware. Do you check minified versions of all libraries you imported to your project? I really doubt.
And it is npm issue: npm should not allow publishing of minified versions. It should allow to publish public visible well readable versions.

"let him who is without sin cast the first stone" - spoked one great man. Don't forget this sentence.

[whevether]

@funny-falcon You're a good cooker. pot

[kevinpiac]

Have you tried to update event-stream version to 4.0.1 or downgrade to 3.3.5.? This worked for me.

[y-chen]

@kevinpiac what should I run? I haven't event-stream in my package.json .

npm install event-stream ?

Thanks

[kevinpiac]

@y-chen If you are using npm version 5 or newer, running npm i should generate a package-lock.json file. This file contains event-stream since it's a peer dependency of your project. Update it to 3.3.5 (last version before the backdoor) and run npm i again. This did the trick for me.

[aichholzer]

Morale of the story:

Write your own code and don't ever blindly trust your source.