We use cookies to ensure you get the best experience on our website.Read moreRead moreGot it

close
  • Products
    • Products
      • Snyk Open Source (SCA)
        Avoid vulnerable dependencies
      • Snyk Code (SAST)
        Secure your code as it’s written
      • Snyk Container
        Keep your base images secure
      • Snyk Infrastructure as Code
        Fix misconfigurations in the cloud
      • Snyk Cloud
        Build, deploy, and stay secure
    • Solutions
      • Application security
        Build secure, stay secure
      • Software supply chain security
        Mitigate supply chain risk
      • Cloud security
        Build and operate securely
    • Platform
      • What is Snyk?
        Developer-first security in action
      • Developer security platform
        Modern security in a single platform
      • Security intelligence
        Comprehensive vulnerability data
      • License compliance management
        Manage open source usage
  • Resources
    • Using Snyk
      • Documentation
      • Vulnerability intelligence
      • Product training
      • Customer success
      • Support portal & FAQ’s
    • learn & connect
      • Blog
      • Community
      • Events & webinars
      • DevSecOps hub
      • Developer & security resources
    • Listen to the Cloud Security Podcast, powered by Snyk
  • Company
    • About Snyk
    • Customers
    • Partners
    • Newsroom
    • Snyk Impact
    • Contact us
    • Jobs at Snyk We are hiring
  • Pricing
Log inBook a demoSign up
All articles
  • Application Security
  • Cloud Native Security
  • DevSecOps
  • Engineering
  • Partners
  • Snyk Team
  • Show more
    • Vulnerabilities
    • Product
    • Ecosystems
How much do you really know about the npm package registry
Vulnerabilities

Malicious code found in npm package event-stream downloaded 8 million times in the past 2.5 months

Danny GranderNovember 26, 2018

A widely used npm package, event-stream, has been found to contain a malicious package named flatmap-stream. This was disclosed via a GitHub issue raised against the source repo.

The event-stream package makes creating and working with streams easy, and is very popular, getting roughly 2 million downloads a week. The malicious child package has been downloaded nearly 8 million times since its inclusion back in September 2018.

We have added the malicious package to our vulnerability database. If your project is being monitored by Snyk and we find the malicious dependency (either event-stream@3.3.6 or any version of flatmap-stream) you will be notified via Snyk’s routine alerts.

If your projects are not monitored by Snyk and you’d like to test them for the use of this package, click here to test your repositories with Snyk, or use our CLI to test projects locally.

Here’s how the events unfolded:

The event-stream npm package, while popular, is not actively maintained. In fact, the package had not been updated for a couple of years except for some cosmetic README changes – and the malicious library in question.

The presumed attacker, whose GitHub handle is right9ctrl, reportedly offered to help maintain the library. The original maintainer, Dominic Tarr – likely aiming to help his users – agreed, granting right9ctrl publishing rights. It’s important to note transferring ownership is a fairly common practice in the world of open source, used to help maintain projects when the original authors are no longer able or willing to do so.

Unfortunately, this new owner proceeded to add a malicious library called flatmap-stream to the event-stream package as a dependency, leading to its download and invocation by every user of the event-stream package (using the malicious 3.3.6 version). The malicious library download added up to nearly 8 million downloads to-date.

Since adding libraries is a common practice, it’s easy to see how the new library was not reviewed too carefully. Furthermore, the library appears to have performed the promised functionality (handling a flat map stream). Lastly, the malicious code inside the library was obfuscated to evade detection (it was later decoded to reveal the malicious code).

The malicious dependency remained undetected for 2.5 months, until a user, Ayrton Sparling, noticed and reported a strange looking dependency on November 20th. The dependency – which held obfuscated code – was quickly understood to be malicious, news of which was made more widely known today (November 26th).

Snyk immediately added the vulnerability to our database and reported it to the Node Foundation Security working group, who are actively reviewing it. npm also responded to the incident and unpublished the malicious library, flatmap-stream, as was the offending event-stream version 3.3.6.

As for the malicious actions themselves, it appears the code focused on stealing bitcoins from application, redirecting any mined bitcoins to the attacker’s wallet (instead of the intended target). You can read more about it on Snyk advisory page.

What should you do?

Your immediate priority should be to check if you are using the malicious library in question. If so, future builds of your application will fail, but any previously deployed applications will likely contain (and are potentially executing) the malicious code.

If your project is being monitored by Snyk, you will be notified via Snyk’s routine alerts, should your application contain this malicious package.

If however you are not monitoring your projects with Snyk (yet!) you can run a one-off test, by clicking here to test your repositories, or by using our CLI to test your projects locally.

I’m affected, what should I do next?

You should first eliminate the malicious package from your application, which you can do by reverting back to version 3.3.4 of event-stream.

If your application used the malicious library and deals with bitcoin, inspect its activity in the last 3 months to see if any mined or transferred bitcoins did not make it into your wallet.

If your application does not deal with bitcoin but is especially sensitive, we recommend you inspect its activity in the last 3 months for any suspicious activity, notably data sent on the network to unintended destinations. We believe it unlikely that the code does anything more than bitcoin stealing, but the complete analysis is still underway.

Discuss this blog on Discord

Join the DevSecOps Community on Discord to discuss this topic and more with other security-focused practitioners.

Go to Discord
Footer Wave Top
Patch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo Segment
Develop Fast.
Stay Secure.
Snyk|Open Source Security Platform
Sign up for freeBook a demo

Product

  • Developers & DevOps
  • Vulnerability database
  • Pricing
  • Test with GitHub
  • API status
  • IDE plugins
  • What is Snyk?

Resources

  • Snyk Learn
  • Blog
  • Security fundamentals
  • Resources for security leaders
  • Documentation
  • Snyk API
  • Disclosed vulnerabilities
  • Open Source Advisor
  • FAQs
  • Website scanner
  • Japanese site
  • Audit services
  • Web stories

Company

  • About
  • Snyk Impact
  • Customers
  • Jobs at Snyk
  • Snyk for government
  • Legal terms
  • Privacy
  • Press kit
  • Events
  • Security and trust
  • Do not sell my personal information

Connect

  • Book a demo
  • Contact us
  • Support
  • Report a new vuln

Security

  • JavaScript Security
  • Container Security
  • Kubernetes Security
  • Application Security
  • Open Source Security
  • Cloud Security
  • Secure SDLC
  • Cloud Native Security
  • Secure coding
  • Python Code Examples
  • JavaScript Code Examples
Snyk|Open Source Security Platform

Snyk is a developer security platform. Integrating directly into development tools, workflows, and automation pipelines, Snyk makes it easy for teams to find, prioritize, and fix security vulnerabilities in code, dependencies, containers, and infrastructure as code. Supported by industry-leading application and security intelligence, Snyk puts security expertise in any developer's toolkit.

Resources

  • Snyk Learn
  • Blog
  • Security fundamentals
  • Resources for security leaders
  • Documentation
  • Snyk API
  • Disclosed vulnerabilities
  • Open Source Advisor
  • FAQs
  • Website scanner
  • Japanese site
  • Audit services
  • Web stories

Track our development

© 2022 Snyk Limited
Registered in England and Wales
Company number: 09677925
Registered address: Highlands House, Basingstoke Road, Spencers Wood, Reading, Berkshire, RG7 1NT.
Footer Wave Bottom