Bug 1653506 - nodejs-event-stream: Child dependency flatmap-stream included malicious code
Summary: nodejs-event-stream: Child dependency flatmap-stream included malicious code
Alias: None
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On:
Blocks: 1653507
TreeView+ depends on / blocked
Reported: 2018-11-27 02:24 UTC by Sam Fowler
Modified: 2021-02-16 22:44 UTC (History)
24 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2019-06-10 10:43:14 UTC

Attachments (Terms of Use)

Description Sam Fowler 2018-11-27 02:24:21 UTC
Version 3.3.6 of nodejs-event-stream included the child-dependency flatmap-stream. flatmap-stream is a malicious package which was used in order to steal bitcoins from wallets. The malicious code was able to check if the copay-dash package was installed, and then attempt to steal the bitcoins stored in it. It was distributed by hijacking the popular event-stream package and adding flatmap-stream as a dependency.

Upstream Issue:


External Reference:


Comment 1 Joshua Padman 2018-11-27 03:43:26 UTC
The version of event-stream in OpenShift Enterprise does not contain the flatmap-stream dependency and is not affected by this vulnerability.

Comment 2 Doran Moppert 2018-12-05 00:35:34 UTC
Additional information:


Comment 3 Jason Shepherd 2019-01-01 23:11:43 UTC
Red Hat Mobile Application Platform (RHMAP) does not ship a affected version of the event-stream dependency. Consequently flatmap-stream is not included with any of the RHMAP images.

Note You need to log in before you can comment on or make changes to this bug.