Lesson from Core-JS: Beware hidden dependencies from indebted Russian devs


The Code-JS project is absolutely huge. Perhaps your project has a dependency on it? The likelihood is you’d never know.

But its sole developer is in trouble. Brilliant Russian coder Denis Pushkarev desperately needs money — he’s vulnerable to blackmail by the Russian government or its proxies. Who’s to say there isn’t already a secret backdoor hiding inside core-js?

The software supply chain security alarm should be at DEFCON 2 by now. In this week’s Secure Software Blogwatch, we sum up the situation at fast pace.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: YouTube as a form of hard drive.

This is not a drill

Ce qui se passe? Izoukhai reports — “The sad story of Denis Pushkarev”:

“In the real world, this isn’t enough”
Is open-source broken? … Created in 2014 by Denis Pushkarev (aka @zloirock), core-js solves the problem of cross-browser compatibility. The library provides polyfills for many features, such as Promise, Array.from, Object.assign, and more.

[It] is used by many popular JavaScript frameworks and libraries, such as React, Angular, and Vue. You can find core-js on about 75-80 of the top 100 websites. … Since Denis Pushkarev released it as open-source in 2014, it has been downloaded over nine billion times throughout the years. You may think that a guy like that gets a lot of gratitude from developers around the world. … Major companies adopted the library and thousands of developers started using [it] without even knowing they were using it or who the creator was … for free.

We often hear that open-source is great, good, ethical compared to close-source and all the typical woo-woo. But in the real world, this isn’t enough. You don’t live and pay bills by doing good things.

Scratch the surface and it’s much worse. John McBride calls it a “secure software supply-chain fiasco that has gotten out of control”:

“Prime target for state-sponsored hacker groups”
The secure software supply-chain … is the most important technological hurdle of our modern area and [it] is at incredible risk. There are many avenues to disastrous supply chain attacks, but widely used projects that have solo maintainers are probably the largest risk of them all. [It’s] difficult to believe they’re real, but here we see one: A solo maintainer project that Amazon, Netflix, Apple, LinkedIn, PayPal, Binance, and tens of thousands of others have a dependency on.

Core-js … has over 50 thousand dependent projects and some 40 million downloads weekly on NPM. … In short, it’s the JavaScript glue for web applications. … Like any project that attempts to [track] a “standard” … without constant update … core-js would quickly fall apart [which] could mean a whole swath of web applications stop working and break.

At the point where it becomes impossible to fork, maintain, or contribute back to the upstream project, you’ve effectively entered a deadlock hostage situation: … Your software’s well-being is now directly linked to a solo maintainer who’s incentives are completely out of your control. … See the massive financial trouble he is in: … Someone with crushing debt who presides over an incredibly valuable technological resource with little oversight is a prime target for state-sponsored hacker groups. … He could easily embed a malicious piece of code deep in the commit log.

How did he get here? Getting funds to him is challenging, notes Thomas Claburn — “Open source is broken”:

“The country in which he resides”
There are various reasons for this. One is that Pushkarev is in Russia, which since the illegal invasion of Ukraine has been subject to broad financial sanctions.

Pushkarev would prefer to focus on the economics of open source rather than the politics of his situation and of the country in which he resides. … Open source does appear to be broken, but in truth it was never whole or fair. Its problems were just more manageable in peaceful times.

This sounds like a horrifically risky situation. btown agrees with McBride:

“Nuance and splash radius”
Is anyone else alarmed that such a widely used project has exactly one maintainer who is able to push arbitrary changes without review? Especially … for a project embedded in Fortune 500 e-commerce and (likely) intranet/administrative sites, with an extremely large surface area of used APIs where malicious minified code might easily go unnoticed and is highly difficult to audit?

He could be threatened into allowing a malicious group to push changes in his name. … One might say that every open source project is vulnerable in some way, but there’s nuance and splash radius to consider here, and core-js does not have much defense-in-depth.

So, just stop using it? After all, IE11 finally died on Valentine’s Day, right? But u/mr_mattyb says that won’t work:

It’s not a technology that a company decides to use. … It’s a core building block of a building block.

Want to use Angular? A react framework like Next.js? Vue? They all use babel for compilation. Babel uses core-js.

IMO, some big tech company like Meta just needs to pick it up, employ the guy, and call it a day.

How could the industry have let this happen? swatcoder says it’s not the first such project — and it won’t be the last:

“Card-houses catastrophically tumble”
Anyone who’s been around long enough to watch dependency culture rise has known that it’s built on a house of cards. Open source development took root as a way to share cool work and receive some community recognition. Decades later, your code is the nth tier dependency silently sucked into 8 million projects through some dependency manager, … you’re not credited anywhere visible, and people are harassing you for not prioritizing their byzantine complaint.

We’re slowly on our way back to reasoned, respectful, collegial practices among developers But the road there is going to see a lot of these card-houses catastrophically tumble.

I think you ought to know I’m feeling very depressed. spoofles misquotes Isaac Newton:

On the shoulders of giants. It’s tough for developers in FOSS. They cannot ignore that their project benefits from other projects … but they also need to eat.

Meanwhile, u/Odd_Soil_8998 has had enough:

There are tons of behind-the-scenes [projects] that may not be sexy or lucrative, but are still necessary and useful. Do you really want to have OpenSSL wait for [funding] before they fix the next Heartbleed-level vulnerability?

And Finally:

Infinite-Storage-Glitch: Use YouTube as cloud storage for any files


Hat tip: kinduff

Previously in And finally

You have been reading Secure Software Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&OE. 30.

Image sauce: Jaunt and Joy (via Unsplash; leveled and cropped)

*** This is a Security Bloggers Network syndicated blog from ReversingLabs Blog authored by Richi Jennings. Read the original post at: