Two months ago someone going by the name of right9ctrl published a malicious version of the package event-stream to NPM, including what some have determined was malicious code designed to steal bitcoin. The public history of this issue can be found on an event-stream Github issue.
The code was obfuscated via minification, not present in the unminified version of the code, and used encryption to make it even more difficult to determine it’s intent.
This is not the first time news of a malicous NPM packages has been made public, in July a malicious version of eslint was published which siphoned npm tokens. Both packages have 2 million or more downloads a week.
Suggestion One: Reproducible Builds
For this specific incident the malicious code was only present in the minified package that shipped to users. The attacker had succesfully hidden it by including an irrelevant library, flatmap-stream, and removing traces of this from the Github source code. Transparency into what code a package actually contains is at the core of trusting packages that come from NPM.
The idea around reproducible builds has been around for a long time. If we think of the minified version of these packages as “binary”, which in essence they are since no human can read it without reverse engineering efforts, than the same approach can be taken. It would be a lot simpler to implement too. Since 2013 Debian has been working to make all of it’s packages reproducible and so far they are 94% of the way there. NPM would not have to contend with the many issues that variances in build environments produce for Debian packages.
Suggestion Two: Core Maintainers for a Standard Library