Malicious Package

Affecting flatmap-stream package, ALL versions

Overview

flatmap-stream is a malicious package which was used in order to steal bitcoins from wallets. The malicious code was able to check if the copay-dash package was installed, and then attempt to steal the bitcoins stored in it. It was distributed by hijacking the popular event-stream package and adding flatmap-stream as a dependency.

You can read more about the malicious code on our blog.

Disclosure Timeline

  • 9th September, 2018- GitHub user right9ctrl adds flatmap-stream as a dependency of the package event-stream and published version 3.3.6 or the package.
  • 16th September, 2018- right9ctrl rewrites the code to remove the dependency on flatmap-stream and pushes out a new version (4.0.0).
  • 20th November, 2018- Ayrton Sparling raises an issue on event-stream.
  • 26th November, 2018- NPM unpublishes the flatmap-stream package and removes version 3.3.6 of event-stream.

Remediation

Avoid using any version of flatmap-stream and version 3.3.6 of event-stream.

References

Do your applications use this vulnerable package?

CVSS Score

9.8
high severity
  • Attack Vector
    Network
  • Attack Complexity
    Low
  • Privileges Required
    None
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    High
  • Integrity
    High
  • Availability
    High
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Credit
Ayrton Sparling
CWE
CWE-506
Snyk ID
SNYK-JS-FLATMAPSTREAM-72637
Disclosed
20 Nov, 2018
Published
26 Nov, 2018