The Changelog The Changelog #326

The insider perspective on the event-stream compromise

Adam and Jerod talk with Dominic Tarr, creator of event-stream, the IO library that made recent news as the latest malicious package in the npm registry. event-stream was turned malware, designed to target a very specific development environment and harvest account details and private keys from Bitcoin accounts.

They talk through Dominic’s backstory as a prolific contributor to open source, his stance on this package, his work in open source, the sequence of events around the hack, how we can and should handle maintainer-ship of open source infrastructure over the full life-cycle of the code’s usefulness, and what some best practices are for moving forward from this kind of attack.


Discussion

Sign in or join to comment

Jerod Santo

Jerod Santo

Omaha, Nebraska

Jerod co-hosts The Changelog, crashes JS Party, and takes out the trash (his old code) once in awhile.

2018-12-06T15:59:14.329719Z ago

My favorite quote from this episode comes from Dominic in the last few moments:

Open source is a great idea and we need more of it… and more sharing, not less. If we let things like this make us too suspicious of each other to share and collaborate, then the terrorists win. That would be worse than being hacked occasionally.

0:00 / 0:00