Early this morning, I checked my mobile phone, but I found that my wechat group exploded, with unread message 999+, and everyone was discussing event-stream event. When I opened Twitter, I was flooded with this.

So I looked at the GitHub issue and got the full story.

User @FallingSnow created an issue for the Event-Stream repository on GitHub with the caption: “I don’t know what to say.” Which translates roughly to “I’m speechless too.” The event-stream package suddenly has an extra dependency called Flatmap-stream, which is stealing the user’s digital currency.

Event-stream is used by many popular front-end frameworks and libraries, with tens of millions of downloads per month. This dependency is also used in Vue’s official scaffolding, vue-CLI, which is one of the most popular front-end frameworks and has a significant impact. React escaped this effect.

The malicious code in Flatmap-Stream scans the user’s nodemodules directory, where all modules downloaded from NPM will be located. If a specific module is found in Nodemodules, malicious code is injected into it to steal the user’s digital currency.

If you want to see if your project is affected, you can run:


     
  1. $ npm ls event-stream flatmap-stream
    2. 
      
  2. .
    3. 
      
  3. [email protected]
    4. 
      
  4. .
    5. 
     
Copy the code

If you include flatmap-stream in your output, you may also be attacked.

If yarn is used, the following operations can be performed:


     
  1. $ yarn why flatmap-stream
    2. 
     
Copy the code

According to the issue, the incident was also quite dramatic because the attacker (@right9Ctrl) blatantly added the attack code about 3 months ago, submitted it to GitHub, and then posted it to NPM. So @FallingSnow on GitHub asked “Why does @right9Ctrl have access to this project?”

@dominictarr Why was @right9ctrl given access to this repo? He added flatmap-stream which is entirely (1 commit to the repo but has 3 versions, the latest one removes the injection, unmaintained, created 3 months ago) an injection targeting ps-tree.

Shortly after, the owner of the warehouse (@Dominictarr) gave an ironic response:

He emailed me and said he wanted to maintain the module, so I handed it over to him. I don’t get anything in return from this module, and I haven’t used this module for a long time, probably a few years.

Also: I no longer have permission to publish this module.

The author has handed over this module to the hacker.


     
  1. $ npm owner ls event-stream
    2. 
      
  2. right9ctrl <[email protected]>
    3. 
     
Copy the code

GitHub’s submission record also shows that the author (@Dominictarr) last submitted code in October last year. The hacker @right9Ctrl has been maintaining this module ever since. But three months ago, hackers created a new Flatmap-Stream repository (containing malicious code) on GitHub and referenced their repository in the project.

The repository was not discovered until a few days ago, when NPM urgently removed the flatmap-Stream module containing the malicious code.

The malicious code is still available on GitHub for anyone interested to analyze. Well, the attackers are pretty sophisticated.

In the comments section, @dominictarr was criticized for easily handing over a module with a million downloads a week to a stranger to maintain. But those of you familiar with @DominicTarr know that while @Dominictarr is not as productive as TJ, @Dominictarr maintains over 400 NPM packages, which takes a lot of time and effort to maintain.

While we don’t know how the email sent by the hacker (@right9Ctrl) was written, there’s no doubt that it earned him the trust of @Dominictarr, who hasn’t used the package for a long time, Thus transferring ownership to the hacker (@right9Ctrl).

As a result of this incident, we have come back to reflect on the Node.js community.

One final note: If you are a Vue developer, be sure to check out your project. Even if you’re not a Vue developer, it’s a good idea to check as many popular modules like Nodemon, nPm-run-all, and Ps-Tree are also affected.

Read on:

  • Bots disguised as humans fix bugs for open source projects on GitHub

  • What happened to the JavaScript community’s “Smoosh gate” caused by a library?

  • Developers were unhappy with NPM and unpublish all their modules

  • What did NPM do! Put hundreds of thousands of projects out of work?