Skip to content
This repository has been archived by the owner on Jul 19, 2023. It is now read-only.

Remove event-stream dependency -- malicious actor #2

Closed
dpilafian opened this issue Nov 27, 2018 · 0 comments
Closed

Remove event-stream dependency -- malicious actor #2

dpilafian opened this issue Nov 27, 2018 · 0 comments
Labels
bug Something isn't working help wanted Extra attention is needed

Comments

@dpilafian
Copy link
Member 

event-stream
critical severity
Vulnerable versions: > 3.3.4
Patched version: No fix

The NPM package flatmap-stream is considered malicious. A malicious actor added this package as a dependency to the NPM event-stream package in versions 3.3.6 and later. Users of event-stream are encouraged to downgrade to the last non-malicious version, 3.3.4.

Check your repos... Crypto-coin-stealing code sneaks into fairly popular NPM lib:
https://www.theregister.co.uk/2018/11/26/npm_repo_bitcoin_stealer/
dpilafian added a commit that referenced this issue Nov 27, 2018
@dpilafian
Removed dependency on untrusted "event-stream" package
e96f362 
Issue #2

dominictarr/event-stream#115
dpilafian added a commit that referenced this issue Nov 27, 2018
@dpilafian
Release v1.3.3
5931dba 
Issue #2
@dpilafian dpilafian added help wanted Extra attention is needed bug Something isn't working labels Nov 27, 2018
@dpilafian dpilafian mentioned this issue Dec 1, 2018
Merged
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
bug Something isn't working help wanted Extra attention is needed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@dpilafian