New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

package removed from npm #2

Open
borisd13 opened this Issue Nov 26, 2018 · 16 comments

Comments

Projects
None yet
@borisd13

borisd13 commented Nov 26, 2018

It seems the package cannot be installed anymore from npm.

When running npm view flatmap-stream versions --json, I get:

{
  "error": {
    "code": "E404",
    "summary": "Unpublished by npm-support on 2018-11-26T17:18:17.658Z",
    "detail": "\n 'flatmap-stream' is not in the npm registry.\nYou should bug the author to publish it (or use the name yourself!)\n\nNote that you can also install from a\ntarball, folder, http url, or git url."
  }
}
@andersonsantos

This comment has been minimized.

andersonsantos commented Nov 26, 2018

Yes! This isn't a safe package! You can check it here:
dominictarr/event-stream#116

@borisd13

This comment has been minimized.

borisd13 commented Nov 26, 2018

Thanks, I got the issue when installing @vue/cli.
An issue has now been filed directly on that package: vuejs/vue-cli#3013

@leif

This comment has been minimized.

leif commented Nov 26, 2018

see bitpay/copay#9346 and dominictarr/event-stream#116 for information about why this was removed

@tangxiangmin

This comment has been minimized.

tangxiangmin commented Nov 27, 2018

use npm ls event-stream flatmap-stream to check if the package is installed.

@earthday

This comment has been minimized.

earthday commented Nov 27, 2018

I met this issue when using jest-puppeteer

-- jest-puppeteer@3.5.1
  `-- jest-environment-puppeteer@3.5.1
    `-- jest-dev-server@3.5.1
      `-- terminate@2.1.0
        `-- ps-tree@1.1.0
          `-- event-stream@3.3.6
            `-- flatmap-stream@0.1.2
@igibek

This comment has been minimized.

igibek commented Nov 27, 2018

where I can find flatmap-stream@0.1.1? I know that it is malicious. I need it to reverse engineer.

@vladkras

This comment has been minimized.

@BennyAlex

This comment has been minimized.

BennyAlex commented Nov 29, 2018

What is the malicious Code exactly? Coulnt find anything... Just out of interest

@EvanDarwin

This comment has been minimized.

EvanDarwin commented Nov 29, 2018

@BennyAlex It's incredibly well obfuscated. It's the entire index.min.js file.

@naiieandrade

This comment has been minimized.

naiieandrade commented Nov 29, 2018

Hey, do you know another package similar to flatmap-stream? Because we are using in a project.

@ktvo68

This comment has been minimized.

ktvo68 commented Nov 30, 2018

FYI, my Sophos software caught and removed this trojan when I tried to run my nodejs/express app locally. Phew!!!

@kiwenlau

This comment has been minimized.

kiwenlau commented Dec 1, 2018

@Art4 data.js is not found

@Art4

This comment has been minimized.

Art4 commented Dec 1, 2018

The code was removed. You can read everything about this malware in this blogpost
https://schneid.io/blog/event-stream-vulnerability-explained/

@artemv

This comment has been minimized.

artemv commented Dec 5, 2018

FYI, my Sophos software caught and removed this trojan when I tried to run my nodejs/express app locally. Phew!!!

@ktvo68 that was good job for Sophos considering that your app was probably not a copay/copay-dash fork with the same package description. Wonder when did the Sophos catch happen?

@EvanDarwin

This comment has been minimized.

EvanDarwin commented Dec 6, 2018

@artemv The index.min.js file's hash is flagged as known malware, most (good) AVs should now block it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment