Research
Security News
Quasar RAT Disguised as an npm Package for Detecting Vulnerabilities in Ethereum Smart Contracts
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
Security News
Sarah Gooding
June 25, 2024
In case you missed the firestorm that started over the weekend, the JavaScript ecosystem has been heavily debating a controversial change in the popular axobject-query library, which is downloaded from npm nearly 15 million times per week.
The library provides a way to query and map Accessibility (AX) objects to their corresponding ARIA roles and HTML elements. It helps developers understand and use the accessibility properties of web elements, ensuring better accessibility compliance and enhanced user experiences for assistive technology users.
A change in maintainership happened four days ago and the new maintainer, Jordan Harband, merged a PR that immediately blew up into a clash between his vision and the community’s expectations. Harband swapped out a library for one that he maintains which supports older versions of Node that no longer receive security updates.
Many users of the library were frustrated with what appeared to be a unilateral decision by a new maintainer, that introduces 16 transitive dependencies in order to extend support down to Node 0.4 and equivalent browsers.
The PR was merged against the wishes of most of those who were participating in the discussion, and Harband received a barrage of criticism.
“As a user of this library I am strongly opposed to replacing dequal with a mess of dependencies that will bloat everyone's node_modules for absolutely no good reason whatsoever,” Rich Harris commented on the PR.“No-one needs Node 4 support. This is utterly absurd.”
Harband, a TC39 delegate and OpenJS Foundation board member, is a prolific open source developer who maintains more than 400 packages, which represent approximately 6% of all of npm’s downloads. He is the sole maintainer on almost all of his packages and is known for his profound commitment to long-term support, which is frequently unpopular in more pragmatic circles, where reducing node_modules size is a higher priority.
Those opposing the PR believe that maintaining support for very old versions of Node.js is generally unnecessary today. Most developers have moved on to more recent versions due to better performance, security, and features. Continuing support for such old versions can lead to complications, like increased dependencies and reduced compatibility with modern development practices. Many consider it impractical to support outdated versions.
Harband responded to the criticisms on the PR with an explanation for the approach he was taking.
“Indeed, it doesn't have as few dependencies, but it has fewer than deep-equal which was used previously,” Harband said. “If it can be done with fewer dependencies and the same reliability and compat, then I've love to review some PRs on deep-equal-json (and deep-equal).
“This PR extends support down to node 0.4 and equivalent browsers, which is useful because accessibility means including everyone, even those few users on old browsers.”
SvelteKit maintainer Ben McCann contends that “engineering is about trade-offs” and that version 3.2.0 was released without Node 4 support over a year ago, and “not a single person has filed an issue during all that time.”
Harband explained that he wasn’t using the same metrics in his decision-making about the project.
“Engineering is indeed about tradeoffs, and I clearly think that dep count and install/bundle size are a worthy sacrifice in the face of compatibility, accessibility, correctness, and reliability,” he said.
The discussion on the PR was eventually locked after it became too heated and spiraled out of control on social media.
Deeply contentious changes in popular open source projects are part of life in this ecosystem, but the way this situation unfolded was a clear indication of the need to reexamine how we treat maintainers and what boundaries we set for community expectations.
Unfortunately, this PR resulted in a “pile on” situation on Twitter where it appeared to those who don’t know Harband that the axobject-query library had been “taken over by some random dude.” Some sensationalized the security concerns and tweeted that it might be a possible supply chain attack, calling into question the motives and integrity of an open source maintainer whose packages were downloaded more than 9 billion times last month.
Speaking with Harband, he said this pile on was unusual and that a similar thing had only happened once before when some people incited a Twitter mob targeting the TC39 committee. At that time, he said he was just a target but that nobody was questioning his motives and calling him deranged or claiming he was doing things for money.
“The point that also gets missed is that I compromised - adding my dep is now only in v3, and v4 will forever not have it,” he said.
In the wake of the xz-utils incident developers are hyper aware of suspicious changes in maintainership, but many have since forgotten that the strain, burnout, and lack of support for open source maintainers was also a critical factor in that situation.
Harband had volunteered to help maintain the project to keep things moving after the original maintainer was looking to unblock momentum on some issues. These are people who are already working together and stepping in to help on projects when one maintainer needed it.
Changes in maintainership aren’t always publicly disclosed. It isn’t customary or expected, but in this case the conversation was public. Nevertheless, those who were unaware were quick to publicly speculate and promote false narratives about the nature of this controversial PR.
“I met with the new maintainer,” Mary Sutton Todd, Senior Frontend engineer at Shift Paradigm, said on Twitter. “I do believe he’s doing work in good faith to support older ESLint versions that still have many downloads. The current plan allows for older major releases to support old Node and newer ones to keep moving along (say, a v3 vs a v4).
“I’m going to join more often as a PR reviewer, time permitting. Since this firestorm really seemed to stem from a communication gap.”
Open source maintainers can be opinionated. The uncomfortable reality is that if discussion isn’t productive towards reaching a mutually beneficial conclusion, and the direction of the project doesn’t align with where you’re going, you will be forced to fork it or use something else. It can be inconvenient and frustrating, but the beauty of open source is that it gives you that option.
It’s not easy to find people with the constitution to deal with this type of hostility while volunteering their time. Open source maintainers often quit due to abuse but most of them do it by quietly giving up. It's a thankless task that occasionally rewards you with character assassination when you least expect it.
We often talk about the lack of funding for sustaining OSS, but when ideals clash, it's important to remember that respect is the currency of decent people. The vast majority of maintainers are not motivated by money—they are driven by a passion for problem solving, impact, and a desire to contribute something back to the world. Respect and empathy will go a long way towards fostering a thriving ecosystem and ensuring the longevity of open source software and its maintainers.
Subscribe to our newsletter
Get notified when we publish new security blog posts!
Try it now
Research
Security News
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
Security News
Research
A supply chain attack on Rspack's npm packages injected cryptomining malware, potentially impacting thousands of developers.
Research
Security News
Socket researchers discovered a malware campaign on npm delivering the Skuld infostealer via typosquatted packages, exposing sensitive data.