flatmap-stream@0.0.1-security

Vulnerabilities

1 via 1 paths

Dependencies

Source

npm

Find, fix and prevent vulnerabilities in your code.

Severity
  • 1
Status
  • 1
  • 0
  • 0

high severity

Malicious Package

  • Vulnerable module: flatmap-stream
  • Introduced through: flatmap-stream@0.0.1-security

Detailed paths

  • Introduced through: flatmap-stream@0.0.1-security

Overview

flatmap-stream is a malicious package which was used in order to steal bitcoins from wallets. The malicious code was able to check if the copay-dash package was installed, and then attempt to steal the bitcoins stored in it. It was distributed by hijacking the popular event-stream package and adding flatmap-stream as a dependency.

You can read more about the malicious code on our blog.

Disclosure Timeline

  • 9th September, 2018- GitHub user right9ctrl adds flatmap-stream as a dependency of the package event-stream and published version 3.3.6 or the package.
  • 16th September, 2018- right9ctrl rewrites the code to remove the dependency on flatmap-stream and pushes out a new version (4.0.0).
  • 20th November, 2018- Ayrton Sparling raises an issue on event-stream.
  • 26th November, 2018- NPM unpublishes the flatmap-stream package and removes version 3.3.6 of event-stream.

Remediation

Avoid using any version of flatmap-stream and version 3.3.6 of event-stream.

References