Bug 1653506 - nodejs-event-stream: Child dependency flatmap-stream included malicious code
Summary: nodejs-event-stream: Child dependency flatmap-stream included malicious code
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 1653507
TreeView+ depends on / blocked
 
Reported: 2018-11-27 02:24 UTC by Sam Fowler
Modified: 2019-09-29 15:03 UTC (History)
24 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-06-10 10:43:14 UTC


Attachments (Terms of Use)

Description Sam Fowler 2018-11-27 02:24:21 UTC
Version 3.3.6 of nodejs-event-stream included the child-dependency flatmap-stream. flatmap-stream is a malicious package which was used in order to steal bitcoins from wallets. The malicious code was able to check if the copay-dash package was installed, and then attempt to steal the bitcoins stored in it. It was distributed by hijacking the popular event-stream package and adding flatmap-stream as a dependency.


Upstream Issue:

https://github.com/dominictarr/event-stream/issues/116


External Reference:

https://snyk.io/vuln/SNYK-JS-FLATMAPSTREAM-72637

Comment 1 Joshua Padman 2018-11-27 03:43:26 UTC
The version of event-stream in OpenShift Enterprise does not contain the flatmap-stream dependency and is not affected by this vulnerability.

Comment 2 Doran Moppert 2018-12-05 00:35:34 UTC
Additional information:

https://access.redhat.com/articles/3724771

Comment 3 Jason Shepherd 2019-01-01 23:11:43 UTC
Red Hat Mobile Application Platform (RHMAP) does not ship a affected version of the event-stream dependency. Consequently flatmap-stream is not included with any of the RHMAP images.


Note You need to log in before you can comment on or make changes to this bug.