event-stream NPM Trojan: How a Bitcoin‑Mining Backdoor Sneaked In
The article explains how the popular Node.js package event-stream was transferred to a new maintainer who injected a malicious flatmap-stream module that steals Bitcoin, outlines the timeline of the supply‑chain attack, and provides steps for developers to detect and remediate the infection.
21CTO editorial: NPM can be both a blessing and a pitfall. In March 2016 NPM suffered a major incident when a module author withdrew code, breaking projects like React and Babel.
Today the NPM ecosystem faced another crisis: the widely used dependency library event-stream was transferred to a new maintainer who inserted a Bitcoin‑stealing backdoor via the flatmap-stream module.
How did we fall into the trap?
event-stream is a JavaScript NPM package for handling Node.js streams, popular with about 2 million weekly downloads.
Months ago the original author @dominictarr handed the project over to an unknown user @right9ctrl due to lack of time and interest, which started the nightmare.
@dominictarr: “( @right9ctrl ) emailed me saying he wanted to maintain the module, so I transferred ownership. I get no benefit from it and haven’t used it for years.”
On September 8 the new maintainer released version 3.3.6 of event‑stream and added a new module flatmap-stream, which at that time contained no malicious code.
On September 16 the maintainer rewrote the code, removed the dependency on flatmap-stream, and published a new version, meaning the update would not be applied automatically.
On October 5 the flatmap-stream 0.0.1 package was published by a user “hugeglass”. This update introduced code that stole Bitcoin wallets and transferred balances.
Since October 5, any project that depends on event-stream and pulls in the compromised flatmap-stream may be attacked. The malicious package has been downloaded nearly 8 million times since the September 2018 update, and the original author cannot modify it.
Original author’s response
After criticism from other developers, Dominic Tarr posted a statement on GitHub (see gist link). In summary, he explained that he handed over maintenance because he no longer found the project enjoyable, that sharing commit access is common in the Node/NPM community, and suggested two solutions: pay the maintainer or have users share maintenance responsibilities.
How to know if you are affected and what to do
To check whether your project includes the malicious package, run:
$ npm ls event-stream flatmap-stream
...
[email protected]
...If the output lists flatmap-stream, you may be vulnerable.
To remediate, remove the malicious package and revert event-stream to version 3.3.4 or earlier.
Source: compiled from CSDN and Solidot
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
21CTO
21CTO (21CTO.com) offers developers community, training, and services, making it your go‑to learning and service platform.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.