A widely used Node.js library of NPM repositories has been modified to include malware that has stolen crypto coins. The library in question belongs to the event stream and that is downloaded more than two million times a week by backend programmers.
This crime is reminiscent of the dangers of using large and complex networks of dependencies in software: unless appropriate measures are taken, any component of an application can be modified to increase its security. If your project uses event streams in any way, make sure you did not install the modified version during testing or production.
How did such a large coding giant get infected?
That’s how it started: A GitHub developer named “right9control” offered to be responsible for the event stream, which was accompanied by another developer. JavaScript was soon updated to include another module, the flatmap stream, which was then modified by another developer to include malware that can stole Bitcoins.
For more details on the event, see this timeline. In summary, right9control added flatmap stream as an event stream dependency on September 9 and removed the dependency by implementing the code in the library on September 16, although this change was not automatically made in the users’ libraries. On October 5, the flatmap stream was modified by a user named “hugeglass” to include modified code that was later discovered to remove bitcoins from wallets with the software.
Therefore, anyone using and receiving the modified flatmap stream instead of the rewritten code could be attacked by the malware if it was downloaded after October 5. The modified code has already been removed from the event stream. Fortunately, the hidden malware only pointed to certain wallets and was not intended to attack all programmers and applications that use event streams.