The JavaScript ecosystem experienced a significant shock with a sophisticated attack on Copay, a popular cryptocurrency wallet provider, in November 2018. Known as the event-stream attack, this incident highlighted the critical vulnerabilities associated with relying on third-party dependencies in software development.
Copay is now known as Bitpay Wallet.
Understanding the attack
Event-stream, a popular npm package, was widely utilized by numerous projects for efficiently managing streams of data within Node.js applications. Its functionality was pivotal for developers who handled complex data flows in real-time applications.
In this article, we covered the most common hidden attack vectors and supply chain attacks in more detail.
Initially maintained by a dedicated and trusted developer, the module had become a staple in many software projects due to its reliability and performance.
Though as often happens in the open-source community, the original maintainer of event-stream could no longer allocate time to manage the project. In late 2018, responsibility for event-stream was passed to a new volunteer maintainer. This transition, while common in open-source ecosystems, did not come with the typical rigorous security checks. The new maintainer, ostensibly a contributor with good intentions, was later revealed to have malicious motives.
Shortly after taking over, this person released several updates to event-stream. Embedded within these updates was a new dependency called ‘flatmap-stream’. This package was specifically crafted to be part of the event-stream update. Unbeknownst to users, ‘flatmap-stream’ contained malicious code that was obfuscated—a technique used to hide its true functionality and avoid detection by security tools and code reviews.
Know that c/side deobfuscates the code so you get a full detailed view of what is loading. We then analyze the full code before it gets rendered by the browser of your user. This would’ve likely caught this incident.
The malicious code within ‘flatmap-stream’ was designed to activate only when certain conditions were met, specifically within the environment of Copay, a cryptocurrency wallet application built using JavaScript. This specificity shows the targeted nature of the attack; the attackers had a clear understanding of Copay’s internal architecture and dependencies.
The payload was programmed to detect whether the environment had characteristics of Copay’s development setup. Once confirmed, it would execute routines that searched for and extracted private keys and wallet details from accounts holding substantial amounts of Bitcoin and Bitcoin Cash. These details were then transmitted to a remote server controlled by the attackers.
Consequences of the attack
The event-stream incident is a textbook example of a client-side supply chain attack, where the compromise of a single component can affect thousands of downstream projects.
The stealthy insertion and activation of the malicious code meant that it remained undetected for several weeks. Another common feature of supply chain attacks.
During this time, any updates to the Copay application inadvertently included the compromised module, thereby endangering all active and new installations of the wallet. Users were completely unaware that their newly installed or updated Copay wallets were compromised.
This attack not only resulted in financial losses of those users, but also dealt a severe blow to the trust placed in open-source modules and the broader npm ecosystem.
It highlighted several critical lessons:
-
Trust and Verification: The necessity of vetting the credentials and trustworthiness of individuals who are given control over widely used open-source projects.
-
Visibility and Monitoring: The importance of having visibility into the behavior of third-party dependencies, especially those that are capable of compromising the integrity of critical software. All of this c/side covers.
-
Rapid Response: The need for rapid response mechanisms when a vulnerability is discovered, to prevent widespread damage.
Immediate actions and community response
Once the malicious injection was uncovered, the npm team acted swiftly to remove the compromised version of event-stream from the registry to prevent further propagation. This version was also deprecated to ensure developers were aware of the security risk and discouraged from using it in any new projects.
The event-stream incident has had lasting implications for the npm ecosystem, reinforcing the importance of security in software development and the inherent risks of dependency chains especially in open-source projects. It led to a heightened awareness and more cautious approach towards the integration of third-party packages, ultimately contributing to a more secure open-source software environment.
Read here why supply chain risk doesn't end at npm.
Prevent a similar attack with c/side
The event-stream incident is a reminder of the vulnerabilities inherent in software dependencies. Such vulnerabilities exposes businesses to severe risks, including data theft and financial loss. At c/side we monitor, secure and even optimize your 3rd-party scripts. We offer:
-
Advanced Monitoring: Our monitoring systems keep an eye on all third-party scripts and dependencies integrated into your projects. We identify and alert you to any unusual activity or modifications in real-time, preventing potential breaches before they occur.
-
Automated Security Enhancements: We automate the process of securing your software supply chain from a 3rd-party asset side. Before the script is delivered by a user on your site, we have checked the full code for anything malicious in our proxy. If we find something, it will not touch their browser.
-
Optimized For Speed: Our proxy does the opposite of adding latency. In most cases we can speed up those scripts to decrease loading times.
-
Proactive Defense: Our proactive approach extends beyond simple monitoring. We analyze trends and patterns in global cybersecurity threats to continually enhance our defense mechanisms. This foresight allows us to anticipate and mitigate potential new vectors of attack.
-
Ease of Integration: Integrating c/side into your existing systems is incredibly easy. Just add our script as the first to load and have all others covered.