11
noder
2y

security fiasco due to a malicious npm package:

Because of a bitcoin miner present in event-stream npm module (https://bleepingcomputer.com/news/...), my entire team and I had to scan all our nodejs apps, repos and the most excruciating one, all node_modules folders across all our dev machines and servers, to see if event-stream and flatmap-stream is present, then not just delete it but update a bu**load of upstream dependencies which internally used event-stream. All due to one malicious package which was hidden several layers beneath.

And, this happened almost 8 months after the aforesaid vulnerability was first found.

Comments
  • 4
    I'm still not seeing how relying on random packages is a good thing 🤦‍♂️

    Open source != safe code.
  • 2
    @C0D4 Most part of nodejs apps are external packages taken from npm registry. So, there is always a risk of one of them messing up.

    That being said, my lesson was to keep my packages always updated, as this vulnerability got introduced in a particular version. Even though the author issued an update immediately to fix it, I did not realize it and didn't upgrade my packages :(
  • 3
    @C0D4 people are so stupid that they will use fucking libraries to add numbers, and add that as a dependency in their packages. Npm became a nightmare...
  • 1
    @mindev The NPM mentality is code communism.
  • 0
    @Root don't you mean wentability?
  • 1
    @ojrask Wentability?
  • 1
    @Root me -> we as any good communist would say
  • 2
    @ojrask @Root oh fuck just saw my typo. Joke totally ruined by now haha.

    Wentality!
  • 3
    JS devs: pulling in tons of crap that nobody nowhere reviews even superficially.

    Also JS devs: aaahhhhh some nasty shit got through this review process!
  • 0
    What kind of reviews does boost get? I also don't check the libraries from Qt. My manager makes a lot of the decisions as to what libraries to use.

    Genuinely curious.
Add Comment