Malicious Package Affecting flatmap-stream package, versions *



    Attack Complexity Low
    Confidentiality High
    Integrity High
    Availability High

    Threat Intelligence

    Exploit Maturity Mature

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • published 26 Nov 2018
  • disclosed 20 Nov 2018
  • credit Ayrton Sparling

Introduced: 20 Nov 2018

Malicious CVE NOT AVAILABLE CWE-506 Open this link in a new tab

How to fix?

Avoid using any version of flatmap-stream and version 3.3.6 of event-stream.


flatmap-stream is a malicious package which was used in order to steal bitcoins from wallets. The malicious code was able to check if the copay-dash package was installed, and then attempt to steal the bitcoins stored in it. It was distributed by hijacking the popular event-stream package and adding flatmap-stream as a dependency.

You can read more about the malicious code on our blog.

Disclosure Timeline

  • 9th September, 2018- GitHub user right9ctrl adds flatmap-stream as a dependency of the package event-stream and published version 3.3.6 or the package.
  • 16th September, 2018- right9ctrl rewrites the code to remove the dependency on flatmap-stream and pushes out a new version (4.0.0).
  • 20th November, 2018- Ayrton Sparling raises an issue on event-stream.
  • 26th November, 2018- NPM unpublishes the flatmap-stream package and removes version 3.3.6 of event-stream.