Quick Review of the “Flat map-stream” attack
THE SOCIAL ENGINEERING ATTACK
This attack started out as a social engineering attack. The attacker, posing as a maintainer, took over to maintain the event-stream module. This developer, “Right9ctrl” was able to develop the trust to gain access and ultimately acquire ownership by providing several contributions to the overall package. After eventually gaining full access to the source code he began his malicious intent.
THE CODE ATTACK
The attacker began his malware journey in a two-step process in modifying event-stream. First, the version released for public consumption in September had been updated with a futile module known as “flat map-stream.” The malicious developer curated “event-stream” to hinge on the malicious code, “flat map-stream.” This section was precisely fashioned for the purposes of this attack. That bundle comprises a fairly meek index.js file, with the inclusion of a minified index.min.js file. The compound files on GitHub seem blameless enough. In the Second step, the user implemented an update in “flat map-stream” to include the payload that attempted to rob cryptocurrency wallets and send the balances to a server in Malaysia.
It zeroed in on a specific wallet to affect, Co-pay. This is a secure bitcoin wallet app for desktop and mobile apparatuses. This is known since the malevolent suite explicitly targets that application because the obscured code reads the “description” field from a project’s “package. Son file,” then implements that description to decrypt an AES256 encrypted payload. At the onset of the code, the strings become decrypted implementing data from the consuming package. If it hits a dud, it would error out, but the mistake would be situated and disregarded.
It may well be enticing to bank on tools which scan npm packages by means of static analysis. This specific attack encrypts the malicious source code to avoid detection. To protect against such an attack a different approach or approaches must be implemented.
First, the developers in the open source market must be aware of who they are handing over duties too. It is common practice to hand over source code as that is the nature of the coding culture. However, this needs to be addressed to provide some form of a security measure to make sure this social engineering attack is mitigated.
Of course, this was eventually a foreseen security flaw. The “event-stream” attack won’t be the last, and it’s likely right now there are other bits of malicious code in wide use in existing npm packages/open-source code that has not been detected.
About the Author
Joe Guerra, M.Ed, CySA+, C|EH, Cybersecurity Instructor, Hallmark University. Joe Guerra is a cybersecurity/computer programming instructor at Hallmark University. He has 12 years of teaching/training experience in software and information technology development. Joe has been involved in teaching information systems security and secure software development towards industry certifications. Initially, Joe was a software developer working in Java, PHP, and Python projects. He is constantly researching attack techniques, forensic investigations, and malware analysis. He is focused on training the new generation of cyber first responders at Hallmark University.