Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTl4NjQtNXI3eC0ycTUz
Malicious Package in flatmap-stream
Version 0.1.1 of flatmap-stream is considered malicious.
This module runs an encrypted payload targeting a very specific application, copay and because they shared the same description it would have likely worked for copay-dash.
The injected code:
- Read in AES encrypted data from a file disguised as a test fixture
- Grabbed the npm package description of the module that imported it, using an automatically set environment variable
- Used the package description as a key to decrypt a chunk of data pulled in from the disguised file
The decrypted data was part of a module, which was then compiled in memory and executed.
This module performed the following actions:
- Decrypted another chunk of data from the disguised file
- Concatenated a small, commented prefix from the first decrypted chunk to the end of the second decrypted chunk
- Performed minor decoding tasks to transform the concatenated block of code from invalid JS to valid JS (we believe this was done to evade detection by dynamic analysis tools)
- Wrote this processed block of JS out to a file stored in a dependency that would be packaged by the build scripts:
The chunk of code that was written out was the actual malicious code, intended to be run on devices owned by the end users of Copay.
This code would do the following:
- Detect the current environment: Mobile/Cordova/Electron
- Check the Bitcoin and Bitcoin Cash balances on the victim's copay account
- If the current balance was greater than 100 Bitcoin, or 1000 Bitcoin Cash:
- Harvest the victim's account data in full
- Harvest the victim's copay private keys
- Send the victim's account data/private keys off to a collection
Recommendation
If you find this module in your environment it's best to remove it. The malicious version of event-stream and flatmap-stream have been removed from the npm Registry.
Permalink: https://github.com/advisories/GHSA-9x64-5r7x-2q53JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTl4NjQtNXI3eC0ycTUz
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: about 3 years ago
Updated: 9 months ago
CVSS Score: 9.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-9x64-5r7x-2q53
References:
- https://github.com/dominictarr/event-stream/issues/116
- https://www.npmjs.com/advisories/737
- https://github.com/advisories/GHSA-9x64-5r7x-2q53
Affected Packages
npm:flatmap-stream
Versions: = 0.1.1No known fixed version