{"id":56462,"date":"2018-11-28T16:29:46","date_gmt":"2018-11-29T00:29:46","guid":{"rendered":"https:\/\/devblogs.microsoft.com\/devops\/?p=56462"},"modified":"2019-05-03T16:32:24","modified_gmt":"2019-05-04T00:32:24","slug":"blocking-malicious-versions-of-event-stream-and-flatmap-stream-packages","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/devops\/blocking-malicious-versions-of-event-stream-and-flatmap-stream-packages\/","title":{"rendered":"Blocking malicious versions of event-stream and flatmap-stream packages"},"content":{"rendered":"<p>On November 26, 2018, the npm package manager released <a href=\"https:\/\/www.npmjs.com\/advisories\/737\">security advisory 737<\/a> regarding the <strong>flatmap-stream<\/strong> package. It was determined that this package was malicious, and contained harmful code. In addition, the popular <strong>event-stream <\/strong>package was modified to make use of the harmful flatmap-stream package.<\/p>\n<p>These malicious packages were apparently attempting to locate bitcoin wallets stored on the computer running the packages and exfiltrate the coins. npm has removed the flatmap-stream package from their registry. Visual Studio Code has also taken steps to <a href=\"https:\/\/code.visualstudio.com\/blogs\/2018\/11\/26\/event-stream\">block affected extensions<\/a>.<\/p>\n<p>In response to this incident, we changed Azure DevOps to block the harmful <strong>flatmap-stream <\/strong>package versions 0.1.0, 0.1.1, and 0.1.2 and <strong>event-stream<\/strong> package version <strong>3.3.6<\/strong> which makes use of the flatmap-stream package. This matches what npm package manager has done.<\/p>\n<p>We will also be contacting customers whose feeds contain the malicious packages. After deploying the block, you will not be able to download these packages or publish them to Azure DevOps.<\/p>\n<p>The safest approach with event-stream is to remain on version 3.3.4.<\/p>\n<p><strong>UPDATE<\/strong>: We&#8217;ve deployed the block.<\/p>\n<p><strong>UPDATE 2<\/strong>: I&#8217;ve updated the versions blocked, which are the same as what npm has done.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>On November 26, 2018, the npm package manager released security advisory 737 regarding the flatmap-stream package. It was determined that this package was malicious, and contained harmful code. In addition, the popular event-stream package was modified to make use of the harmful flatmap-stream package. These malicious packages were apparently attempting to locate bitcoin wallets stored [&hellip;]<\/p>\n","protected":false},"author":94,"featured_media":45953,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[224],"tags":[],"class_list":["post-56462","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-azure"],"acf":[],"blog_post_summary":"<p>On November 26, 2018, the npm package manager released security advisory 737 regarding the flatmap-stream package. It was determined that this package was malicious, and contained harmful code. In addition, the popular event-stream package was modified to make use of the harmful flatmap-stream package. These malicious packages were apparently attempting to locate bitcoin wallets stored [&hellip;]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/posts\/56462","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/users\/94"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/comments?post=56462"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/posts\/56462\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/media\/45953"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/media?parent=56462"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/categories?post=56462"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/tags?post=56462"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}