Exploiting Developer Infrastructure Is Ridiculously Easy

The open-source ecosystem is broken

Photo: Charles Deluvio/Unsplash

Details of the Exploit

The payload on flatmap-stream was set up to ingest a data file that had, among some trivially obfuscated strings, two encrypted payloads that could only be decrypted with a known password.

So much software is built on the backs of people who are expected to work for free.

The amount of effort this took was not trivial. This exploit took a lot of research and planning, and it likely had backup routes in the case that event-stream wasn’t able to be hijacked. Given the way the attack played out, it seems plausible that the actor targeted Copay specifically rather than grabbing a valuable library and planning out an attack from there. The popularity of event-stream meant that the attacker had an easy route into privileged computers in hundreds of companies across the globe. Thankfully, it was limited and quickly caught considering how long it could have gone unnoticed, but thinking about what could have happened leads us to an obvious conclusion:

Open Source Is Incredibly Broken

Let’s count all the things that went wrong.

  1. Even without locked versions, those dependencies aren’t cached and are pulled on every build.
  2. Thousands of other projects are dependent on event-stream with the same or similar configurations.
  3. The maintainer stopped caring about a library that thousands of projects depended on.
  4. Thousands of projects consume this library for free and expect it to be maintained without any compensation.
  5. The maintainer gave full control to an unknown entity just because they asked for it.
  6. There was no notification that control had changed, thousands of projects were just expected to consume the package with no warning.
  7. There’s really no end—this list of things that went wrong could go on and on…

Open source is broken, and the larger it grows the more likely that catastrophic events will occur.

The problem is that so much software is built on the backs of people who are expected to work for free. They deliver useful software once but are expected to maintain it until the end of time. If they can’t, either they go dormant and ignore requests or security vulnerabilities (guilty!) or they pass the baton to someone else hoping they can get away without getting tagged ever again. Sometimes it works. Sometimes it doesn’t. But no outcome can excuse the security vulnerabilities this exposes in the software supply chain. Even the discovery of, research into, and subsequent damage control for this exploit was done largely by unpaid volunteers of the open-source ecosystem.

I write about JavaScript, Reverse Engineering, Security, and Credential Stuffing. Also a speaker, O'Reilly Author, creator of Plato, Director at Shape Security.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store