Malicious Package

Affecting flatmap-stream package, ALL versions

high severity

Overview

flatmap-stream is a malicious package which was used in order to steal bitcoins from wallets. The malicious code was able to check if the copay-dash package was installed, and then attempt to steal the bitcoins stored in it. It was distributed by hijacking the popular event-stream package and adding flatmap-stream as a dependency.

You can read more about the malicious code on our blog.

Disclosure Timeline

  • 9th September, 2018- GitHub user right9ctrl adds flatmap-stream as a dependency of the package event-stream and published version 3.3.6 or the package.
  • 16th September, 2018- right9ctrl rewrites the code to remove the dependency on flatmap-stream and pushes out a new version (4.0.0).
  • 20th November, 2018- Ayrton Sparling raises an issue on event-stream.
  • 26th November, 2018- NPM unpublishes the flatmap-stream package and removes version 3.3.6 of event-stream.

Remediation

Avoid using any version of flatmap-stream and version 3.3.6 of event-stream.

References

Do your applications use this vulnerable package?

Credit
Ayrton Sparling
CWE
CWE-506
Snyk ID
SNYK-JS-FLATMAPSTREAM-72637
Disclosed
20 Nov, 2018
Published
26 Nov, 2018