Dev of core-js Will Flip Table ¦ Another 451 PyPI Maldeps

Welcome to The Long View—where we peruse the news of the week and strip it to the essentials. Let’s work out what really matters.

This week: Denis Pushkarev is fed up with core-js freeloaders, and hundreds more malicious packages found at PyPI.

1. Open Source Dev is as Mad as Hell (and He’s not Going to Take This Anymore)

First up this week: The core-js project is a poorly-funded one-man band. And the situation is complicated by that one man being in Russia. However, around ¾ of the world’s top websites and services use it. Is open source “fundamentally broken”?

Analysis: @zloirock and a hard place

Could your organization sponsor core-js? If you have a dependency on it, consider pinning core-js.

Ed Targett: This JavaScript library is EVERYWHERE. Its maintainer is broke

“Remains an open question”
The primary maintainer of … core-js [which] is on hundreds of millions of websites and over 50% of the world’s most visited websites (from PayPal to Pornhub) says he may walk away from the project after maintaining it for years with minimal reward – or even change it to a closed source licence in future. … Denis Pushkarev said his already meagre donations had been largely cut off owing to western financial firms not dealing with payments to Russia, but even before that the “community” had been little support.
…
He is considering various options for the future … he said. These options include “appropriate financial backing”; being hired by a company that pays him to work on open source and web standards; making it closed source and commercial; or a “slow death”.
…
The core-js maintainer’s position met some sympathetic responses. [But] whether this flurry of sympathy will turn into a flurry of donations remains an open question.

Thomas Claburn: Open source is broken, no one will pay for it

“It was never whole or fair”
The issue of who pays for open source software, often created or managed by unpaid volunteers, continues to be a source of friction and discontent. … For the large companies that get more from the free labor in open source code than they pay out in donations – if indeed they pay out – the status quo looks like a pretty good deal.
…
Pushkarev would prefer to focus on the economics of open source rather than the politics of his situation and of the country in which he resides. … Open source does appear to be broken, but in truth it was never whole or fair. Its problems were just more manageable in peaceful times.

Horse’s mouth? Denis “@zloirock” Pushkarev:

“Less than $2 per hour”
Hi. I am … a full-time open-source developer. … This post was supposed to be a post about the start of active development of the new major version of core-js and the roadmap. [But] I’m ****ing tired. Free open-source software is fundamentally broken.
…
Core-js … is one of the main reasons why developers can use modern ECMAScript features in their development process each day for many years, but most developers just don’t know that they [use it] because … they use core-js indirectly as it’s provided by their transpilers / frameworks / intermediate packages. … You can find core-js on about 75-80 of the top 100 websites.
…
$400 for 250 hours [is] less than $2 per hour. … And no insurance or social security. … I’ve had enough of sponsoring corporations at the expense of my and my family’s well-being.

A sympathetic u/SpaceInstructor has their mind blown:

It blows my mind to learn the story. … I remember in 2013 when I started serious frontend work I had to chose polyfills by hand and integrate them in webpack. … I always thought these polyfills must be paid by Google or MS or some combination of the FANG companies. Big surprise!
…
We owe this man so much. … All of us have been benefiting from his work. … So much was built on top of core.js and it’s shocking to learn how little was paid back.

All of which is deeply alarming to btown:

Pushkarev seems to be a remarkably principled developer in a horrible situation, and I admire his commitment to this project. Setting that aside, though, is anyone else alarmed that such a widely used project has exactly one maintainer who is able to push arbitrary changes without review? Especially … for a project embedded in Fortune 500 e-commerce and (likely) intranet/administrative sites, with an extremely large surface area of used APIs where malicious minified code might easily go unnoticed and is highly difficult to audit?
…
The degree to which he could be threatened into allowing a malicious group to push changes in his name should not be taken lightly. … Pin your core-js dependency, and track security.snyk.io/vuln/npm?search=core-js as well as npm audit. … One might say that every open source project is vulnerable in some way, but there’s nuance and splash radius to consider here, and core-js does not have much defense-in-depth.

But this Anonymous Coward has no time for Pushkarev:

There is no such thing as an innocent Russian: People living under far more brutal domestic regimes … than Putin’s have stood up and done something about it—and in eras where access to the truth was much harder to come by than today. Russians don’t believe Putin’s lies because he is a master at the dark arts of manipulation or somehow they can’t fight back, they believe them because he is a master of telling the Russian people what they already wanted to hear.

(Source: Many years in both Russia and Ukraine; it’s a shame, but Russians are beyond saving.)

2. Software Supply Chain Security: It’s PyPI FAIL Time Again

More malicious typosquatting PyPI packages have come to light. Hundreds of them.

Analysis: Supply chain mess means end of dependency free-for-all

How many more headlines like this are you going to read before you do something to block malicious deps? You need to recognise the incredible risk associated with blindly trusting random devs.

Bill Toulas: 451 PyPI packages install Chrome extensions to steal crypto

“Malicious PyPi packages”
Over 450 malicious PyPI python packages were found installing malicious browser extensions to hijack cryptocurrency transactions made through browser-based crypto wallets and websites. … These packages are being promoted through a typosquatting campaign that impersonates popular packages but with slight variations.
…
The goal is to deceive software developers into downloading these malicious packages instead of the legitimate ones [such as] bitcoinlib, ccxt, cryptocompare, cryptofeed, freqtrade, selenium, solana, vyper, websockets, yfinance, pandas, matplotlib, aiohttp, beautifulsoup, tensorflow, selenium, scrapy, colorama, scikit-learn, pytorch, pygame, and pyinstaller.
…
The malicious PyPi packages will create a malicious Chromium browser extension [which] will monitor for cryptocurrency addresses copied to the Windows clipboard. When a crypto address is detected, the browser extension will replace it with a set of hardcoded addresses under the threat actor’s control. This way, any sent crypto transaction amount will go to the threat actor’s wallet instead of the intended recipient.

Another PyPI dependency hack? The Aloof Alot is horrified:

The problem with Python packages is basically similar to VueJS and the like: Many packages are dependent on other packages, and so on. So for any fairly large project using one of the more complicated Python packages you also need to download a ****ton of dependencies, so many that it becomes impossible to audit them all. Often some change somewhere in the dependency chain will break something, so you end up needing to pin some package you never heard of.
…
I once checked how much of the code for a fairly large application we make for a customer was actually ours, and it came down to 4% of the total of 3 GB. The rest was the main packages we use + dependencies.

Prepare for new controls. So says dknj:

This is not an unsolved problem—e.g., big banks are not worried about this because of the controls they have in place. You will end up with a custom Python repository containing only approved packages. To upgrade a package will trigger a security review of all of the associated code and the cost of this will be billed to the product owner. Every library will be built from source or otherwise have third-party binaries validated and warrantied by the maintainer. It is a gated community where malware has a difficult time getting in. It is also costly and too expensive for most companies. That may change as the price of risk goes up.

The Moral of the Story:
The healthiest response to life is joy

—Deepak Chopra

You have been reading The Long View by Richi Jennings. You can contact him at @RiCHi or tlv@richi.uk.

Image: Evgeny Ozerov (via Unsplash; leveled and cropped)