Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Security News
Sarah Gooding
May 16, 2024
LDAPjs, an LDAP Client and Server API for Node.js, has been decommissioned after its maintainer, James Sumners, received an abusive email from a user. The open source library is relatively well-known in the Node.js ecosystem and had 68 contributors and 1.5K GitHub stars. Sumners has formally deprecated the LDAPjs package on npm, which was averaging more than 170,000 weekly downloads.
“I took it on when it was languishing without any maintenance as it filled a need in the ecosystem and I had built things at a prior organization that depended upon this project,” Sumners said.
“I spent a lot of time triaging issues and reworking things toward a path that could be more easily maintained by a community of volunteers. But I have not had the time to dedicate to this project in quite a while. There are outstanding issues that would take me at least a week of dedicated development time to solve, and I cannot afford to take time off of work to do that. Particularly considering that the aforementioned organization was two jobs ago, and it is extremely unlikely that I will transition to a role again that will need this project.”
Sumners received a vile and threatening email that was clearly from a dissatisfied user of the project looking to abuse LDAPjs’ maintainer over architectural differences regarding the API:
Although verbal abuse and death threats are unfortunately common experiences of maintaining open source projects (and life on the internet in general) the unusual level of vitriol in this email was enough to push Sumners to decommission the project. He said the user’s particular concerns had previously been discussed in a more reasonable manner but no one had taken the time to submit a PR to introduce a better API.
After the recent xz-utils backdoor incident, the tech community has a heightened sense of vigilance about the possibility of threat actors weaponizing targeted harassment against open source maintainers. Last month the OpenJS Foundation warned open source project maintainers to be on alert for social engineering takeovers after they intercepted a credible attempt via a series of emails.
Projects receiving complaints in the repo’s issues tracker, while maintainers struggle to keep up, is a common occurrence in open source. In a recent episode of the Risky Business podcast, Socket CEO Feross Aboukhadijeh commented on how the ordinary events surrounding the XZ-utils attack - complaints about bugs, contributor offers, maintainer changes - were precisely what made it so difficult to detect.
“The text of the email makes it seem the author was a target of some troll attack,” one user commented on the Hacker News discussion about the decommissioned LDAPjs project. "I’m surprised gmail spam filters didn’t catch this. I worry that someone may be trying to incorporate a sophisticated supply chain attack. Step 1. Troll maintainers, Step 2. Find someone to maintain who can accept malicious code. Step 3. Track where this goes.”
Participants in the discussion were collectively wary of targeted open source maintainer abuse becoming a new emerging pattern of attack:
“I hope this doesn't become a more widely used repo attack vector: Abuse repo maintainers until one or more fold. Fork the repo and become the New Maintainer That Saves The Day. At a later time, insert attack code.”
"This smells similar to the XZ thing -- demoralize / beret the maintainer and get them to step down"
“If you're selling proprietary software and are worried about an OSS competitor, forget FUD, legal battles and patent challenges. Just send a few of these emails to the primary maintainer, and the OSS competitor will be no more.”
Even if this is simply an angry troll at work, it’s these types of interactions that compound and contribute to maintainer burnout. It’s especially effective when the maintainer is no longer paid to build software that depends on the project and motivation is low. Abuse is one way to push the odds in favor of an already overburdened maintainer giving up, and in the LDAPjs instance this appears to have been the final straw.
In the discussion on Hacker News, maintainers shared their own nightmarish tales of hateful emails and death threats they have received after putting their work out into the world. One commenter expressed concern that trolls, who have no vested interest in the continued maintenance of software, wield outsized influence over decisions like this. The unfortunate reality is that the decommissioned project likely negatively impacts every stakeholder except the troll and potentially reinforces this type of abuse.
“I will not tolerate abuse, and I especially will not tolerate tacit death threats, over a hobby,” Sumner said. “You can thank the author of that email for the decommissioning on this project.
“My recommendation to you in regard to LDAP operations: write a gateway in a language that is more suited to these types of operations. I'd suggest Go.”
Sumners isn’t handing the project off to just anyone - he said he would “consider turning it over to an interested party,” but would require at least one recommendation from a Node.js core contributor that he can vet with the people he knows on that team.
This incident is a stark warning that there are real humans behind the open source infrastructure that powers much of our digital world and they are not always impervious to abuse. Many of them are on the edge of burnout due to lack of collaboration, appreciation, time, and resources. A constant barrage of criticism without commensurate support can push individuals to a breaking point. It’s a reminder to treat maintainers with respect, as their well-being directly impacts the sustainability and security of the software we all rely on.
Subscribe to our newsletter
Get notified when we publish new security blog posts!
Try it now
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.