Malicious code ousted from PureScript's npm installer – but who put it there in the first place?
Account hijacking claimed by some but it may just be a developer behaving badly
The installer, invoked by typing
According to Garrood, the installer was originally developed and maintained by Shinnosuke Watanabe (@shinnn), a developer based in Japan. The PureScript maintainers had disagreements with Watanabe about the upkeep of the installer and asked him to transfer the project to their control.
"He begrudgingly did so," explained Garrood in his post, noting that the 0.13.2 PureScript compiler release that debuted on July 5th is the first since the project team took over management of the installer package. And that's where the problems started.
The PureScript installer has dependencies also under the control of Watanabe, or rather it did until they were removed earlier this week: the npm packages
rate-map. Garrood says malicious code was introduced into each of these packages at separate times to break the recent revision of the PureScript installer – but not previous versions published by Watanabe.
"@shinnn claims that the malicious code was published by an attacker who gained access to his npm account," explained Garrood. "As far as we are aware, the only purpose of the malicious code was to sabotage the PureScript npm installer to prevent it from running successfully."
Compromised developer accounts represent an ongoing concern among all the software package registries. Earlier this month, a Ruby gem (package) was hijacked. And in June, a vulnerability in an npm package was exploited to steal cryptocurrency, echoing a similar incident that came to light in November last year.
But it's not clear that Watanabe's account was actually hijacked; this may just be a case of one developer lashing out at others over personal disagreements.
NPM Inc settles union-busting complaints on third try – after CEO trolled for ordering internal mole huntREAD MORE
Garrood implies that Watanabe is to blame for the security lapse but stops short of accusing him explicitly. He calls the compromise a malicious act without attributing it to anyone. At the same time, he cites behavior that's difficult to explain – he claims that Watanabe deleted a GitHub issue post on July 9 made by developer Jolse Maginnis indicating that his
load-from-cwd-or-npm package is breaking the installer.
In his analysis of the malicious portion of
load-from-cwd-or-npm, Garrood observes that the purpose of a specific conditional statement that had been added "seems to be to ensure that the malicious code only runs when our installer is being used (and not @shinnn’s)."
On Twitter, developer Vincent Orr chastised Garrood for insinuating that Watanabe is to blame, to which Garrood replied, "I've deliberately not assigned any blame, just relayed facts."
Orr however suggests that's inconsistent with mentioning Watanabe's GitHub handle a dozen times.
The Register emailed Garrood and Watanabe seeking comment but we've not heard back.
We've also asked NPM to elaborate on whether it has investigated the incident or taken any action against Watanabe based on these allegations. No word yet. ®