Visual Studio App Center CLI Customers – Event-Stream Package Security Update and Next Steps
On November 26, 2018 the npm security team removed
flatmap-stream from the popular
firstname.lastname@example.org package. In late September,
flatmap-stream had been added as a dependency by a GitHub developer identified as “right9control” in an apparent attempt to attack the
ps-tree package running in copay, a cryptocurrency wallet. You can read about the timeline of events and more details in this NPM blog post and corresponding GitHub issue.
Some recent versions of the Visual Studio App Center CLI included the compromised version of the event-stream package, however users were not impacted as the CLI does not include the
ps-tree package and the attack was specifically engineered for copay. Nonetheless, following our investigation of the issue we immediately updated the
event-stream module to v3.3.4 and released a new version of the App Center CLI (v1.1.8).
Important Next Steps
We recommend that you run
npm uninstall -g appcenter-cli and
npm install -g appcenter-cli to uninstall and re-install the App Center CLI. This removes your cached version of
email@example.com and ensures that
firstname.lastname@example.org is used when running App Center’s CLI. If you like, you can also run
npm audit in the project directory to check if your version even contains the affected version of
We would like to thank you, the community, for your diligence in providing feedback on this issue. We read all your comments and correspondence, and sincerely appreciate your enthusiasm and engagement.