Malicious Package Affecting flatmap-stream package, versions *
Snyk CVSS
Attack Complexity
Low
Confidentiality
High
Integrity
High
Availability
High
Threat Intelligence
Exploit Maturity
Mature
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JS-FLATMAPSTREAM-72637
- published 26 Nov 2018
- disclosed 20 Nov 2018
- credit Ayrton Sparling
How to fix?
Avoid using any version of flatmap-stream
and version 3.3.6
of event-stream
.
Overview
flatmap-stream
is a malicious package which was used in order to steal bitcoins from wallets. The malicious code was able to check if the copay-dash
package was installed, and then attempt to steal the bitcoins stored in it. It was distributed by hijacking the popular event-stream
package and adding flatmap-stream
as a dependency.
You can read more about the malicious code on our blog.
Disclosure Timeline
- 9th September, 2018- GitHub user
right9ctrl
addsflatmap-stream
as a dependency of the packageevent-stream
and published version 3.3.6 or the package. - 16th September, 2018-
right9ctrl
rewrites the code to remove the dependency onflatmap-stream
and pushes out a new version (4.0.0). - 20th November, 2018- Ayrton Sparling raises an issue on
event-stream
. - 26th November, 2018- NPM unpublishes the
flatmap-stream
package and removes version 3.3.6 ofevent-stream
.