December 7th, 2018

Visual Studio App Center CLI Customers – Event-Stream Package Security Update and Next Steps

Amanda Chew
Senior Program Manager

On Nov 26, 2018, the npm security team removed `flatmap-stream` from the popular `event-stream@3.3.6` package. In late September, `flatmap-stream` had been added as a dependency by a GitHub developer identified as “right9control” in an apparent attempt to attack the `ps-tree` package running in copay, a cryptocurrency wallet. You can read about the timeline of events and more details in this NPM blog post and corresponding GitHub issue.

Some recent versions of the Visual Studio App Center CLI included the compromised version of the event-stream package, however users were not impacted as the CLI does not include the `ps-tree` package and the attack was specifically engineered for copay. Nonetheless, following our investigation of the issue we immediately updated the `event-stream` module to v3.3.4 and released a new version of the App Center CLI (v1.1.8).

Important Next Steps

We recommend that you run `npm uninstall -g appcenter-cli` and `npm install -g appcenter-cli` to uninstall and re-install the App Center CLI. This removes your cached version of `event-stream@3.3.6` and ensures that `event-stream@3.3.4` is used when running App Center’s CLI. If you like, you can also run `npm audit` in the project directory to check if your version even contains the affected version of `event-stream`.

We would like to thank you, the community, for your diligence in providing feedback on this issue. We read all your comments and correspondence, and sincerely appreciate your enthusiasm and engagement.

Author

Amanda Chew
Senior Program Manager

Program Manager for Visual Studio App Center.