flatmap-stream is a malicious package which was used in order to steal bitcoins from wallets. The malicious code was able to check if the
copay-dash package was installed, and then attempt to steal the bitcoins stored in it. It was distributed by hijacking the popular
event-stream package and adding
flatmap-stream as a dependency.
You can read more about the malicious code on our blog.
- 9th September, 2018- GitHub user
flatmap-streamas a dependency of the package
event-streamand published version 3.3.6 or the package.
- 16th September, 2018-
right9ctrlrewrites the code to remove the dependency on
flatmap-streamand pushes out a new version (4.0.0).
- 20th November, 2018- Ayrton Sparling raises an issue on
- 26th November, 2018- NPM unpublishes the
flatmap-streampackage and removes version 3.3.6 of
Avoid using any version of
flatmap-stream and version
Do your applications use this vulnerable package?
- Ayrton Sparling
- Snyk ID
- 20 Nov, 2018
- 26 Nov, 2018