<p>Avoid using any version of <code>flatmap-stream</code> and version <code>3.3.6</code> of <code>event-stream</code>.</p>

Malicious Package Affecting flatmap-stream package, versions *

Snyk CVSS

Attack Complexity Low

Confidentiality High

Integrity High

Availability High

Threat Intelligence

Exploit Maturity Mature

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk ID SNYK-JS-FLATMAPSTREAM-72637
published 26 Nov 2018
disclosed 20 Nov 2018
credit Ayrton Sparling

Report a new vulnerability Found a mistake?

Introduced: 20 Nov 2018

Malicious CWE-506 Open this link in a new tab

How to fix?

Avoid using any version of flatmap-stream and version 3.3.6 of event-stream.

Overview

flatmap-stream is a malicious package which was used in order to steal bitcoins from wallets. The malicious code was able to check if the copay-dash package was installed, and then attempt to steal the bitcoins stored in it. It was distributed by hijacking the popular event-stream package and adding flatmap-stream as a dependency.

You can read more about the malicious code on our blog.

Disclosure Timeline

9th September, 2018- GitHub user right9ctrl adds flatmap-stream as a dependency of the package event-stream and published version 3.3.6 or the package.
16th September, 2018- right9ctrl rewrites the code to remove the dependency on flatmap-stream and pushes out a new version (4.0.0).
20th November, 2018- Ayrton Sparling raises an issue on event-stream.
26th November, 2018- NPM unpublishes the flatmap-stream package and removes version 3.3.6 of event-stream.