A Systematic Analysis of the Event-Stream Incident

On October 5, 2018, a GitHub user announced a critical security vulnerability in event-stream, a JavaScript package meant to simplify working with data-streams. The vulnerability, was introduced by a new maintainer, by including code designed to harvest account details from select Bitcoin wallets when executing as part of the Copay wallet. At the time of the incident, event-stream was used by hundreds of applications and averaged about two million downloads per week. This paper reports on the results of an independent analysis of the event-steam incident. A series of steps allowed the attacker to take control of important account functions, while the attack was designed to activate only on select few environments—only when part of a specific dependency tree, only on specific wallets, and only on the live Bitcoin network. Conventional program analysis techniques would have likely missed the attack, and manual vetting proved to be inadequate for the scale and complexity of dependencies used in modern applications. This incident is an important example of the risks associated with long software supply chains using third-party libraries, calling the research community to arms.

This work was partly supported by DARPA contract no. HR0011202-0013, HR001120C0191, and HR001120C0155. This work has also received funding from the European Union’s Horizon 2020 research
and innovation programme under grant agreement No 101021659 (SENTINEL), and from the European Health and Digital Executive Agency (HaDEA) under grant agreement No INEA/CEF/ICT/A2020/2373266 (JCOP).