Nexus Intelligence Insights: Sonatype-2018-0413, flatmap-stream's back, back again

Thought you cleaned up your malicious flatmap-stream code? Check again.

You may have thought you'd read everything there was to read about flatmap-stream and as a result, fixed the offending component once and for all. However, after a deeper inspection of embedded components potentially still in use, the Sonatype Data Research team has uncovered a different reality.

The situation is similar to this. Imagine if a large meat manufacturer shipped a bunch of bad beef that was recalled. They’ve cleaned up their act and gotten rid of the tainted product from all of their manufacturing and packaging plants. However, the meat they sold to Picabe Burgers months ago, has been formed into hamburgers and stored in the freezer, ready to be cooked and sold in the coming weeks. The meat manufacturer is no longer "vulnerable”, but you the consumer could be exposed or "exploited" by what remains. 

In this month's Nexus Intelligence Insights, we'll take a deeper dive into additional vector points that are at risk from the original flatmap-stream vulnerability, something we at Sonatype call secondary expansion, and give remediation guidance on what to do next.  

Name of Vuln/Sonatype ID: Sonatype-2018-0413

Type of Vulnerability: Malicious code injection

Components Affected: 

• @eyedea-sockets/messenger-bot  0.0.4
• @eyedea-sockets/syncano-socket-intercom-integration  0.0.11
• apollo-discover-resolvers  1.0.2
• framework-data   9.7.1
• generator-ozone-be    1.0.39
• generator-ozone-be    1.0.41
• generator-ozone-be    1.0.42
• generator-ozone-be    1.0.43
• generator-ozone-be    1.0.44
• generator-ozone-be    1.0.45
• generator-ozone-be    1.0.46
• generator-ozone-be    1.0.47
• hellhun_homelibrary    1.0.0
• hellhun_homelibrary    1.0.1
• koa-swapi    1.1.3
• moab-mother    1.3.0
• node-antivir    1.0.0
• ocad2geojson    1.1.0
• ocad2geojson    1.2.0
• ocad2geojson    1.2.1
• ocad2geojson    1.2.2
• ocad2geojson    1.2.3
• pux-react    0.0.0
• sdk-flags    1.0.3

Vulnerability Description:

First, let's take a step back in time to November 2018. A malicious user modified event-stream to depend on a malicious package called flatmap-stream. This package was specifically crafted for a very specialized and purposeful attack. The malicious user was only interested in harvesting cryptocurrency from applications that performed that type of payment task. 

Flash forward to today and bundled node modules open up potential vectors in an additional 12 components.

Attack Mechanics, other vectors:

It’s important to understand the potential scale of any vulnerability related to this set of components. The event-stream package alone receives over 1.5M weekly downloads and is depended on by nearly 1,600 other packages. If this attack had not been specific to harvesting cryptocurrency, the consequences could have been dire for thousands of applications that depend on them. The embedded components bundled into flatmap-stream pose a serious risk given their general utility. 

The results of the analysis performed by the Sonatype Data Security Research team:

First, a little about secondary expansion. Our proprietary system for identifying vulnerable code (or in this case malicious code) utilizes Advanced Binary Fingerprinting (ABF). The result is precise identification of embedded dependencies that reflect everything that's implicated. ABF identification utilizes cryptographic hash for binaries, structural similarity, derived coordinate, and file name.  It can even identify renamed or modified components whether they were declared or not, misnamed, or added to the code base manually.

Using this method, our team discovered twelve additional npm components that carry the same payload as the one responsible for the first event-stream vulnerability. 

Digging deeper, we examine what’s vulnerable:

Ten of the twelve components come bundled with a `node_modules` folder that contains one of the malicious versions of `flatmap-stream` (the module included in `event-stream` that contained Bitcoin-siphoning malware). Of the ten, three components get more interesting. 

`@eyedea-sockets/messenger-bot` and `@eyedea-sockets/syncano-socket-intercom-integration` have the `node_modules` folder archived in a hidden folder while `pux-react` has the payload embedded in an inner-archive ~115 levels deep. The Sonatype Data Security Research team believes that this may be an attempt to evade antivirus and malware scanners that typically only scan archives a few layers deep.  

`node-antivir` has a slightly different m.o. but is as suspicious nonetheless. It contains the malicious payload and nothing else. This component might have potentially acted as another dependency on the `event-stream` or other similar libraries in order to pull off the cryptocurrency hack. npm shows a low number of downloads of this library around the time that the event-stream/flatmap-stream attack was going on. It has since fizzled out and currently shows no dependents for this component.

By doing a granular component analysis to discover what’s been embedded or hidden in the code, Sonatype has created a composite risk view of these components - giving our customers a substantial head start on getting ahead of threats that most open source security vendors will not discover until there’s a breach. This in-depth research and predictive analysis gives our customers using these vulnerable components a holistic risk profile they can use to drive policy. 

Remediation Recommendation:

In the interest of being good citizens of the open source community, our Data Security Research Team has reached out to npm and made them aware of our findings. npm has promptly responded and are working on fixes for the impacted components. We appreciate their rapid response and will assist where we can. 

Any applications running these packages should be investigated for malicious activity and replaced with a safe version not containing the malicious code.

DevOps-native organizations with the ability to continuously deploy software releases have an automation advantage that allows them to stay one step ahead of the hackers. Customers of Sonatype Nexus were notified of Sonatype-2018-0413 within hours of the project being notified. Their development teams automatically received instructions on how to remediate the risk.

If you're not a Sonatype customer and want to find out if your code is vulnerable, you can use Sonatype's free Nexus Vulnerability Scanner to quickly find out.

Visit the Nexus Intelligence Insights page for a deep dive into other vulnerabilities like this one or subscribe to the blog to automatically receive Nexus Intelligence Insights hot off the press.