Blocking malicious event-stream and flatmap-stream packages

Buck Hodges

On November 26, 2018, the npm package manager released security advisory 737 regarding the flatmap-stream package. It was determined that this package was malicious, and contained harmful code. In addition, the popular event-stream package was modified to make use of the harmful flatmap-stream package.

These malicious packages were apparently attempting to locate bitcoin wallets stored on the computer running the packages and exfiltrate the coins. npm has removed the flatmap-stream package from their registry. Visual Studio Code has also taken steps to block affected extensions.

In response to this incident, we changed Azure DevOps to block the harmful flatmap-stream package versions 0.1.0, 0.1.1, and 0.1.2 and event-stream package version 3.3.6 which makes use of the flatmap-stream package. This matches what npm package manager has done.

We will also be contacting customers whose feeds contain the malicious packages. After deploying the block, you will not be able to download these packages or publish them to Azure DevOps.

The safest approach with event-stream is to remain on version 3.3.4.

UPDATE: We’ve deployed the block.

UPDATE 2: I’ve updated the versions blocked, which are the same as what npm has done.


Discussion is closed.

Feedback usabilla icon