Npm javascript supply chain attack: event stream

From razwiki
Jump to navigation Jump to search

https://github.com/dominictarr/event-stream/issues/116 - "I don't know what to say."

In November 2018, it was discovered that a malicious package had been added as a dependency to version 3.3.6 of the popular package event-stream. The malicious package, called flatmap-stream, contained an encrypted payload that stole bitcoins from certain applications. npm administrators removed the offending package.