/event-stream

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Backdoored dependency? flatmap-stream-0.1.1 and flatmap-stream-0.1.2 #115

Open
NewEraCracker opened this Issue Nov 19, 2018 · 4 comments

Comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
3 participants
@NewEraCracker @kevinburke @funny-falcon
@NewEraCracker

NewEraCracker commented Nov 19, 2018

I'm using version 3.3.6 of this module. flatmap-stream was added by this commit:
e316336

The new updates to the package on npm are very suspicious.

0.1.0: https://registry.npmjs.org/flatmap-stream/-/flatmap-stream-0.1.0.tgz
0.1.1: https://registry.npmjs.org/flatmap-stream/-/flatmap-stream-0.1.1.tgz
0.1.2: https://registry.npmjs.org/flatmap-stream/-/flatmap-stream-0.1.2.tgz

Regards.

@NewEraCracker NewEraCracker referenced this issue Nov 19, 2018

Closed

Backdoored sub-dependency? flatmap-stream-0.1.1 and flatmap-stream-0.1.2 #1451

@kevinburke

This comment has been minimized.

Sign in to view

kevinburke commented Nov 26, 2018

If you're reading this, it looks like the solution for the moment is to downgrade to 3.3.4 (which does not have the vulnerability) until npm support can grant permission to a new owner who won't inject compromised packages.

SinS3i pushed a commit to SinS3i/gulp-vinyl-zip that referenced this issue Nov 26, 2018

Kyle Blomquist
Update dependencies to address security vulnerabilities present 
Related Issues Found:
dominictarr/event-stream#116
dominictarr/event-stream#115
940703d

@SinS3i SinS3i referenced this issue Nov 26, 2018

Open

Update dependencies to address security vulnerabilities present #13

@mcollina mcollina referenced this issue Nov 26, 2018

Open

issue a vulnerability to address event-stream #444

@funny-falcon

This comment has been minimized.

Sign in to view

funny-falcon commented Nov 26, 2018

Thrre were no bad intentions:
#73

@phillipperalez phillipperalez referenced this issue Nov 26, 2018

Open

lock event-stream to non-compromised version 3.3.4 #222

@kevinburke

This comment has been minimized.

Sign in to view

kevinburke commented Nov 26, 2018

per the description linked here: #116 (comment)

the package attempts to steal Bitcoin from an installed Bitcoin wallet, so yes, it does seem like there were really bad intentions!!!
@funny-falcon

This comment has been minimized.

Sign in to view

funny-falcon commented Nov 26, 2018

I mean flatmap-stream were added to this repository not to steal bitcoins but to implement functionality. @right9ctrl just didn't know flatmap were malicious.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment