For the second time in as many weeks we’re seeing the fallout of missteps taken by publishers of open source components. It was just last week that I wrote about the GitHub id of go-bindata being highjacked. We don’t know for certain if the intentions were malicious but the risk was obvious.
Today we are finding that credentials were compromised for an npm component called conventional-changelog and a malicious version was uploaded that allegedly included a Monero cyptocurrency miner. Anyone who built or installed an npm package depending on the malicious package yesterday is now potentially running a miner and worse, potentially distributing it to their downstream users or customers.
A few months ago people were laughing at a parody of a similar situation describing credit card harvesting via a compromised package. It's not so funny any more, is it?
Open source developers typically thrive in creating something used by millions or billions of other people. This is the fuel that drives us and knowing that you’ve contributed, even in some small part, to the lives of millions of users is amazing.
Conversely, knowing that you’ve accidentally inflicted harm on those users through careless practices is probably devastating… yet seemingly not enough people are thinking about this before hand while it’s preventable.
We open source developers and package maintainers are finding ourselves at the front line of the new battle. Attackers have recognized the power of open source in terms of broad distribution and are seeking to use that against us.
We must not let them ruin the reputation of the things we’ve built. Or worse, the entire open source ecosystem.
If you're an open source contributor or package maintainer: Pay attention to your own digital security as you would if you were protecting millions of others. Because you are.