Tired of maintaining code that was written to be freely distributed, an “unrepentant module giver awayer” (aka developer) handed it over after GitHub dev “right9control” volunteered to take over the popular JavaScript library. The library Event-Stream, written in Node.js, has over 2 million downloads per week. The library, which was listed in NPM’s repository, was then updated with malicious code that contains cryptocurrency-stealing malware.
Put another way, Event-Stream was updated to include Flatmap-Stream as a dependency. The latter was then modified to include the bitcoin-stealing malware.
Everyone using Event-Stream in their projects is urged to make sure they don’t have a tainted version and update to the latest Event-Stream version 4.0.1.
Leave a reply