Trouble in the Software Crowdsourcing Paradise

The world of software crowdsourcing is experiencing a new threat that is far more serious than the existing nuisances (e.g. dependency hell, heartbleed bug). In it, a malicious programmer included code in a popular and widely deployed Javascript library to steal cryptocurrency wallets. To explain the significance, let me quickly review the history of this model for software development.

Crowdsourced programming started to gain attention in the late 1990s along with the success of Linux operating system. Erc Raymond made the movement official by publishing “The Cathedral and the Bazaar”. His line - “given enough eyeballs, all bugs are shallow” - became its founding philosophy.

Fast forward by twenty years, and it appears that the world is running short of skilled eyeballs, thanks to the widespread acceptance of crowdsourced development. Hence we get the corollary to Eric Raymond’s rule - when the eyeballs are few, bugs get deep. The best illustration came in the form of heartbleed bug in a critical component of the internet architecture.

The second type of nuisance is popularly known as dependency hell. When program A depends on library B, which in turn relies on libraries C, D and E, any change in B, C, D and E can make A fail. Joe Armstrong, the creator of Erlang programming language has been critical of writing code with dependencies. He wrote in twitter -

Of course - I try to write code with zero dependencies - code I wrote 25 years ago with zero dependencies still works today. Code I wrote 5 years ago with external dependencies often fails.

Nonetheless, those are nothing compared to the new threat that can seriously compromise open-source model. It was discovered late last year that the widely deployed Javascript library named event-stream got infected by malicious code to steal cryptocurrency wallet. The library (and the malicious code) got downloaded 8 million times in 2.5 months. Check here, here and here for more details.

It is more important to know how that malicious code got into the popular library. From the last link above -

event-stream is a very popular npm package which exposes a number of helpers for working with streams inside a node application. It currently receives over 1.9 million weekly downloads. However, it hasn’t been in active development for a couple of years; its author, dominictarr, maintains a large number of projects and no longer had a personal use for event-stream so it fell to the wayside.

Sometime around early to mid September, a user with the handle right9ctrl (their GitHub account is now deleted) offered to take over maintenance duties; dominictarr agreed and gave right9ctrl access on GitHub and npm.

On September 9, right9ctrl added a dependency called flatmap-stream in order to support a flatmap function in event-stream (not at all out-of-place as event-stream already exposes similar utilities like a regular map). Then, on September 16, right9ctrl removed the flatmap-stream dependency and directly implemented the flatmap function within event-stream. Again, nothing to really raise concern here: it’s certainly not uncommon to add a new dependency and then decide a few days later that it would be better to implement yourself.

To cut to the chase, the new developer added the malicious code in minified form to make the change nearly invisible. The script intended to steal bitcoin wallet from users and send them to attackers’ servers. Ironically, the attack got discovered due to “dependency hell”. The developer used a deprecated library, and someone bothered by the “deprecated” warning went in to check where it was coming from.

This new attack can seriously compromise open-source software development, which relies entirely on trust. Moreover, the dependencies keep rising as explained in the essay “A Generation Lost in Bazaar”. Therefore, the trust horizon needs to keep rising, which is impossible. Trust does not scale.