Malicious code found in npm package event-stream downloaded 8 million times in the past 2.5 months

A widely used npm package, event-stream, has been found to contain a malicious package named flatmap-stream. This was disclosed via a GitHub issue raised against the source repo.

The event-stream package makes creating and working with streams easy, and is very popular, getting roughly 2 million downloads a week. The malicious child package has been downloaded nearly 8 million times since its inclusion back in September 2018.

We have added the malicious package to our vulnerability database. If your project is being monitored by Snyk and we find the malicious dependency (either event-stream@3.3.6 or any version of flatmap-stream) you will be notified via Snyk’s routine alerts.

If your projects are not monitored by Snyk and you’d like to test them for the use of this package, click here to test your repositories with Snyk, or use our CLI to test projects locally.

Here’s how the events unfolded:

The event-stream npm package, while popular, is not actively maintained. In fact, the package had not been updated for a couple of years except for some cosmetic README changes - and the malicious library in question.

The presumed attacker, whose GitHub handle is right9ctrl, reportedly offered to help maintain the library. The original maintainer, Dominic Tarr - likely aiming to help his users - agreed, granting right9ctrl publishing rights. It’s important to note transferring ownership is a fairly common practice in the world of open source, used to help maintain projects when the original authors are no longer able or willing to do so.

Unfortunately, this new owner proceeded to add a malicious library called flatmap-stream to the event-stream package as a dependency, leading to its download and invocation by every user of the event-stream package (using the malicious 3.3.6 version). The malicious library download added up to nearly 8 million downloads to-date.

Since adding libraries is a common practice, it’s easy to see how the new library was not reviewed too carefully. Furthermore, the library appears to have performed the promised functionality (handling a flat map stream). Lastly, the malicious code inside the library was obfuscated to evade detection (it was later decoded to reveal the malicious code).

The malicious dependency remained undetected for 2.5 months, until a user, Ayrton Sparling, noticed and reported a strange looking dependency on November 20th. The dependency - which held obfuscated code - was quickly understood to be malicious, news of which was made more widely known today (November 26th).Snyk immediately added the vulnerability to our database and reported it to the Node Foundation Security working group, who are actively reviewing it. npm also responded to the incident and unpublished the malicious library, flatmap-stream, as was the offending event-stream version 3.3.6.

As for the malicious actions themselves, it appears the code focused on stealing bitcoins from application, redirecting any mined bitcoins to the attacker’s wallet (instead of the intended target). You can read more about it on Snyk advisory page.

What should you do?

Your immediate priority should be to check if you are using the malicious library in question. If so, future builds of your application will fail, but any previously deployed applications will likely contain (and are potentially executing) the malicious code.

If your project is being monitored by Snyk, you will be notified via Snyk’s routine alerts, should your application contain this malicious package.

If however you are not monitoring your projects with Snyk (yet!) you can run a one-off test, by clicking here to test your repositories, or by using our CLI to test your projects locally.

I’m affected, what should I do next?

You should first eliminate the malicious package from your application, which you can do by reverting back to version 3.3.4 of event-stream.

If your application used the malicious library and deals with bitcoin, inspect its activity in the last 3 months to see if any mined or transferred bitcoins did not make it into your wallet.

If your application does not deal with bitcoin but is especially sensitive, we recommend you inspect its activity in the last 3 months for any suspicious activity, notably data sent on the network to unintended destinations. We believe it unlikely that the code does anything more than bitcoin stealing, but the complete analysis is still underway.