event-stream dependency stole wallet funds

event-stream began as a maintainer transfer. Dominic Tarr gave publish rights to the right9ctrl account after the new maintainer offered to help with an old package. On September 9, 2018, right9ctrl published event-stream 3.3.6 with a new dependency on flatmap-stream.

The malicious code was not in the visible event-stream source. It was in flatmap-stream@0.1.1, published in October 2018. The code was obfuscated, loaded encrypted data, and decrypted only when used inside the Copay build path. During Copay packaging it modified JavaScript that could leak wallet data and private keys.

The targeting was careful. Most event-stream consumers inherited a suspicious dependency but were not the intended cash-out path. BitPay's Copay wallet builds gave the payload the context it needed, which turned a general-purpose stream library into a route toward cryptocurrency theft.

FallingSnow opened the public GitHub issue on November 20, 2018. Analysis in the thread identified Copay-related libraries as the target and recommended checking for flatmap-stream@0.1.1. npm removed the malicious packages, took control of event-stream, and advised users to move back to event-stream 3.3.4 or use remediated downstream builds.

Motive

Financial Gain

Attribution

Person

Cause

Social Engineering

Transitive

Yes

Actor

Individual Hacker

User Impact

8000000

• I don't know what to saygithub.com
• Hacker backdoors popular JavaScript library to steal Bitcoin fundszdnet.com
• Details about the event-stream incidentblog.npmjs.org
• Malicious Package in flatmap-streamnpmjs.com
• GitHub Advisory: Malicious Package in flatmap-streamgithub.com