Don’t get me wrong, I love me some NodeJS. You can quickly create apps, but at cost. It has several major security flaws, the biggest being NPM. Last week, it was reported that the NPM module event-stream had suddenly become malicious and was detected possibly stealing from Bitcoin wallets.
For those who don’t know, NPM typically ships with NodeJS. It allows developers to quickly and easily download modules (or libraries) into the apps they’re developing. In the case of the event-stream module, it was acquired legally by a malicious attacker. The attacker injected a hack into a dependency for event-stream called flatmap-stream. It went undetected for several weeks. The hack was encrypted inside of this dependency, and once it reached the target Bitcoin wallets, all they had to do was execute the hack. One of the biggest complaints about NPM is that when a single dependency is added, 10 more can automatically be added. Each dependency requires more dependencies. It’s very common to wind up with a massive dependency tree from just adding just one module.
NPM is tackling this issue by doing a vulnerability look up on each module. The problem with this is, the vulnerability has to be known and reported. In the case of the event-stream vulnerability, it took 6 days before NPM was able to issue the advisory, labeling event-stream as malicious.
When deploying a new app, software developers should do a code review to ensure their app doesn’t have any security vulnerabilities. Even on their own dependencies, just to make sure something like event-stream doesn’t happen. The problem is, when developers have hundreds or thousands of dependencies, it’s nearly impossible to go through each of them to ensure their safe. It could take a single team of five people years to do the review. It’s out of the question.
The event-stream attack isn’t new, it’s only becoming more common.
These types of attacks are called supply-chain attacks, and in October, within a week, two similar supply-chain attacks were detected. I predict that with the rise of anonymous cryptocurrencies, hackers could potentially legally buy the rights to open source software and launch massive attacks.
Using RadJav, these types of attacks cannot work. We’re making developing software not only easier, but more secure. We offer a single easy to use library that contains nearly everything a developer could need. In addition, when combined with RadJav blockchain V2, we can help ensure that the developers working on a module for RadJav are not malicious. This is something unique only our V2 blockchain can handle.
For the latest developments on RadJav, join us on our Slack channel at:
Or try RadJav yourself by downloading it here.