event-stream
event-stream dependency steals Bitcoin wallets.
The 'event-stream' npm package maintainership was transferred via social engineering to an attacker who then added 'flatmap-stream@0.1.1' as a dependency in 'event-stream@3.3.6'. This new dependency contained obfuscated, malicious code specifically designed to steal cryptocurrency (Bitcoin, Bitcoin Cash) from users of the Copay Dash wallet application by exfiltrating wallet data and private keys if balances exceeded certain thresholds.
- Date
- 2018-09-09 to 2018-11-26
- Category
- Open Source
- Target Surface
- Package registry
- Insertion Phase
- source
- Impact
- Financial Exploitation
- Cause
- Social Engineering
What Was Affected
Package
event-stream
Languagejavascript
ComponentLibrary
Artifact typesource archive
Domain typepackage host
Domain
npmjs.org
Repository
github.com/dominictarr/event-stream
Compromised Versions
Incident Context
- Motive
- Financial Gain
- Attribution
- Individual Hacker
- Transitive
- Yes
- User Impact
- 8000000
- Observed Duration
- 78 days
Evidence
Compromised Artifacts
- registry.npmjs.org/event-stream/-/event-stream-3.3.6.tgz
- registry.npmjs.org/flatmap-stream/-/flatmap-stream-0.1.1.tgz
Current Artifacts and Analysis
Indicators and Changes
Hashes
sha1:10084752f5c006eb49b4abff6ff57d3a8abb5246sha256:a9c97713c80d0ceb8f28038890af2a0d5f28a037726ed98e46cfa5e851ffec0d
Commits
External References
Source Data
Source record: oss/event-stream/meta.yaml