Bitcoin Github Source Code
EDIT:. Am I affected?: If you are using anything crypto-currency related, then maybe. As discovered by, the target seems to have been identified as copay related libraries. It only executes successfully when a matching package is in use (assumed to be copay at this point).
Github Blockchain
If you are using a crypto-currency related library and if you see flatmap-stream@0.1.1 after running npm ls event-stream flatmap-stream, you are most likely affected. For example: $ npm ls event-stream flatmap-stream. What does it do: Other users have done some good analysis of what these payloads actually do. What can I do: By this time fixes are being deployed and npm has yanked the malicious version. Ensure that the developer(s) of the package you are using are aware of this post. If you are a developer update your event-stream dependency to event-stream@3.3.4. This protects people with cached versions of event-stream.
Why was given access to this repo? He added which is entirely (1 commit to the repo but has 3 versions, the latest one removes the injection, unmaintained, created 3 months ago) an injection targeting. After he adds it at almost the exact same time the injection is added to flatmap-stream, he bumps the version and publishes. Literally the second commit (3 days later) after that he removes the injection and bumps a major version so he can clear the repo of having flatmap-stream but still have everyone (millions of weekly installs) using 3.x affected. If you removed flatmap-stream because your realized it was an injection attack why didn't you yank event-stream@3.3.6 from npm and put a PSA?
If you didn't know, why did you choose to use a completely unused/unknown library (0 downloads on npm until you use it)? If I had the exact date from npm in which flatmap-stream@0.1.1 was published I wouldn't be asking you questions. I've included a break down of what I have so far on flatmap-stream below. It includes the portion of code not found in the unminified source of flatmap-stream@0.1.1 but found in the minified source.
The code has been cleaned up a little to get a better understanding. The worst part is I still don't even know what this does.
Bitcoin Original Source Code Github
The decrypted data n0 is byte code or something, not regular javascript, or maybe I'm just not handling it correctly. I spent a better part of a day trying to get something other than gibberish out of the encrypted AES payload.
I've tried executing the gibberish and it errors out. I believe there are 2 possible reasons I haven't been able to get the actual payload's code. I might not be using the correct passphrase. Even though the description for ps-tree is the only passphrase that actually successfully decrypts the encrypted payload, it may still not be the correct passphrase. I'm using an invalid charset with the payload?