Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.Test your applications
- Snyk ID SNYK-JS-FLATMAPSTREAM-72637
- published 26 Nov 2018
- disclosed 20 Nov 2018
- credit Ayrton Sparling
Introduced: 20 Nov 2018Malicious CVE NOT AVAILABLE CWE-506 Open this link in a new tab
How to fix?
Avoid using any version of
flatmap-stream and version
flatmap-stream is a malicious package which was used in order to steal bitcoins from wallets. The malicious code was able to check if the
copay-dash package was installed, and then attempt to steal the bitcoins stored in it. It was distributed by hijacking the popular
event-stream package and adding
flatmap-stream as a dependency.
You can read more about the malicious code on our blog.
- 9th September, 2018- GitHub user
flatmap-streamas a dependency of the package
event-streamand published version 3.3.6 or the package.
- 16th September, 2018-
right9ctrlrewrites the code to remove the dependency on
flatmap-streamand pushes out a new version (4.0.0).
- 20th November, 2018- Ayrton Sparling raises an issue on
- 26th November, 2018- NPM unpublishes the
flatmap-streampackage and removes version 3.3.6 of