Version 3.3.6 of nodejs-event-stream included the child-dependency flatmap-stream. flatmap-stream is a malicious package which was used in order to steal bitcoins from wallets. The malicious code was able to check if the copay-dash package was installed, and then attempt to steal the bitcoins stored in it. It was distributed by hijacking the popular event-stream package and adding flatmap-stream as a dependency.
The version of event-stream in OpenShift Enterprise does not contain the flatmap-stream dependency and is not affected by this vulnerability.
Red Hat Mobile Application Platform (RHMAP) does not ship a affected version of the event-stream dependency. Consequently flatmap-stream is not included with any of the RHMAP images.