Unknown dev gets rights to popular module, adds crypto stealer

A hugely popular open source Javascript npm module had malicious code injected after the original developer handed it over to another unknown person to maintain.

New Zealander Dominic Tarr maintained the code for the event-stream module, a Javascript module used to process streaming data which has over two million weekly downloads.

Tarr said he was emailed by a user who goes by the moniker right9ctrl and who wanted to take over responsiblity for maintaining the popular package.

As Tarr found the project no longer fun to work on - he did it for free and had no use for the module anymore, he handed off maintainer rights.

Soon after, however, code was added to event-stream which injected obfuscated malware.

Although at first it wasn't clear what the added malicious code did, users chipped in and worked out that it steals Bitcoin wallets from users of the Copay and Bitpay software libraries.

The incident has again highlighted the dangers of supply chain attacks, where malware could be injected into a trusted piece of code such as an open source software library relied on by large numbers of developers and projects.

Rendition Infosec president and founder Jake Williams said the incident "embodies everything wrong with open source software security today."

"Guy builds npm module, then transfers control of the module to another user (who he does not know). This is then used to deploy malware," Williams tweeted.

"Don't blame the original dev (as some have been doing). They built a package for which they receive no compensation. Someone asked to help maintain a stale project and they said 'sure'. Creating open source software shouldn't be a lifelong commitment."

Tarr similarly told iTnews that the model was broken.

"When millions of people depend on something that the original author has very little motivation to maintain, that's insane," Tarr said.

"Once something gets popular, you only hear from people who are having a problem with it.

"If you break anything - easy to do - you'll have many people suddenly upset at you. It's a lot of responsibility and potential downside, but no upside to speak of."

Tarr suggested that maintainers get paid and that those who depend on modules take part in the process, so that the responsibility for published code scales according to usage and need.

The malicious version of the code has been removed by npm.