npm 错误!404 未找到:event-stream@3.3.6 [英] npm ERR! 404 Not Found: event-stream@3.3.6
问题描述
我正在尝试部署我的项目,但突然收到此错误.
I am trying to deploy my project and I'm suddenly getting this error.
npm 错误!404 未找到:event-stream@3.3.6
npm ERR! 404 Not Found: event-stream@3.3.6
推荐答案
tldr;
天啊!事实证明,事件流包存在允许黑客窃取比特币的漏洞.
Holy cow! It turns out that the event-stream package had a vulnerability that allowed a hacker to steal bitcoin.
要修复它,您需要更新您的 event-stream 包.
To fix it you need to update your event-stream package.
- 删除
node_modules文件夹. - 删除
package-lock.json文件. - 运行
npm install.
- Delete the
node_modulesfolder. - Delete the
package-lock.jsonfile. - Run
npm install.
这应该会将您的软件包更新到安全版本,您应该可以开始使用了.
This should update your packages to a safe version and you should be good to go.
这是 NPM 博客的官方回复:
And here is the official response from the NPM blog:
关于事件流事件的详细信息 这是对事件流的分析事件流事件,你们中的许多人早些时候意识到了这一点星期.npm 立即采取行动解决运营问题和问题这会影响我们社区的安全,但我们通常会执行更多在讨论事件之前进行彻底的分析——我们知道你已经等待.
Details about the event-stream incident This is an analysis of the event-stream incident of which many of you became aware earlier this week. npm acts immediately to address operational concerns and issues that affect the safety of our community, but we typically perform more thorough analysis before discussing incidents—we know you’ve been waiting.
11 月 26 日上午,npm 的安全团队接到通知已进入事件流的恶意程序包,这是一种流行的npm 包.在对恶意软件进行分类后,npm Security 的响应是从注册表中删除 flatmap-stream 和 event-stream@3.3.6 并获取事件流包的所有权以防止进一步滥用.
On the morning of November 26th, npm’s security team was notified of a malicious package that had made its way into event-stream, a popular npm package. After triaging the malware, npm Security responded by removing flatmap-stream and event-stream@3.3.6 from the Registry and taking ownership of the event-stream package to prevent further abuse.
恶意包是 flatmap-stream 的 0.1.1 版本.这包被添加为事件流包的直接依赖项由新维护者于 2018 年 9 月 9 日发布,版本为 3.3.6.这event-stream 包被广泛使用,但恶意代码针对某公司的开发人员进行了非常具体的开发环境设置:在任何其他环境中运行负载没有影响.这种特定的定位意味着,最终,大多数开发者即使安装错误也不受影响恶意模块.
The malicious package was version 0.1.1 of flatmap-stream. This package was added as a direct dependency of the event-stream package by a new maintainer on September 9, 2018, in version 3.3.6. The event-stream package is widely used, but the malicious code targeted developers at a company that had a very specific development environment setup: running the payload in any other environment has no effect. This specific targeting means that, ultimately, most developers would not be affected even if they had mistakenly installed the malicious module.
注入的代码针对 Copay 应用程序.当开发人员在Copay 运行他们的发布构建脚本之一,生成的代码是在捆绑到应用程序之前修改.代码是旨在从帐户中获取帐户详细信息和私钥余额超过 100 个比特币或 1000 个比特币现金.
The injected code targets the Copay application. When a developer at Copay runs one of their release build scripts, the resulting code is modified before being bundled into the application. The code was designed to harvest account details and private keys from accounts having a balance of more than 100 Bitcoin or 1000 Bitcoin Cash.
Copay 的最初回应是没有包含这个的构建恶意代码已向公众发布,但我们现在有Copay 确认恶意代码部署在版本 5.0.2 到 5.1.0."
Copay’s initial response was that that no builds containing this malicious code were released to the public, but we now have confirmation from Copay that "the malicious code was deployed on versions 5.0.2 through 5.1.0."
攻击 此攻击最初是一次社会工程攻击.这冒充维护者的攻击者接管了事件流模块.
The attack This attack started out as a social engineering attack. The attacker, posing as a maintainer, took over maintainership of the event-stream module.
技术细节这里是我们知道的一些技术细节关于,对于那些对此感兴趣的人.
The technical details Here are some technical details that we know about, for those of you interested in this.
注入的代码:
从伪装成测试装置的文件中读入 AES 加密数据获取导入它的模块的 npm 包描述,使用自动设置的环境变量使用的包描述为解密从数据中提取的数据块的密钥伪装文件 解密后的数据是一个模块的一部分,然后在内存中编译并执行.
Read in AES encrypted data from a file disguised as a test fixture Grabbed the npm package description of the module that imported it, using an automatically set environment variable Used the package description as a key to decrypt a chunk of data pulled in from the disguised file The decrypted data was part of a module, which was then compiled in memory and executed.
该模块执行了以下操作:
This module performed the following actions:
从伪装文件中解密了另一块数据 连接了一个从第一个解密块到结尾的小注释前缀第二个解密的块执行了次要的解码任务以进行转换从无效 JS 到有效 JS 的连接代码块(我们相信这样做是为了逃避动态分析工具的检测)写的处理 JS 块输出到存储在依赖项中的文件由构建脚本打包:编写的代码块out 是实际的恶意代码,旨在在拥有的设备上运行由 Copay 的最终用户提供.
Decrypted another chunk of data from the disguised file Concatenated a small, commented prefix from the first decrypted chunk to the end of the second decrypted chunk Performed minor decoding tasks to transform the concatenated block of code from invalid JS to valid JS (we believe this was done to evade detection by dynamic analysis tools) Wrote this processed block of JS out to a file stored in a dependency that would be packaged by the build scripts: The chunk of code that was written out was the actual malicious code, intended to be run on devices owned by the end users of Copay.
此代码将执行以下操作:
This code would do the following:
检测当前环境:Mobile/Cordova/Electron 检查受害者共付账户上的比特币和比特币现金余额如果当前余额大于 100 个比特币,或 1000 个比特币现金:全面收集受害者的账户数据 收集受害者的共付额私钥 将受害者的帐户数据/私钥发送给收集服务在 111.90.151.134 上运行.对于 Copay 的用户应用程序,bitpay 建议,如果您使用的是从 5.0.2 到5.1.0,您不应运行或打开 Copay 应用程序."
Detect the current environment: Mobile/Cordova/Electron Check the Bitcoin and Bitcoin Cash balances on the victim’s copay account If the current balance was greater than 100 Bitcoin, or 1000 Bitcoin Cash: Harvest the victim’s account data in full Harvest the victim’s copay private keys Send the victim’s account data/private keys off to a collection service running on 111.90.151.134. For users of the Copay app, bitpay recommends, "If you are using any version from 5.0.2 to 5.1.0, you should not run or open the Copay app."
对于 npm 用户,您可以检查您的项目是否包含易受攻击的通过运行 npm audit 依赖.如果您安装了受影响的此事件流的版本,我们建议您更新到更高版本尽快更新.
For npm users, you can check if your project contains the vulnerable dependency by running npm audit. If you have installed the impacted version of this event-stream, we recommend that you update to a later version as soon as possible.
这篇关于npm 错误!404 未找到:event-stream@3.3.6的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
