Supply Chain Incident
event-stream malicious dependency insertion
A maintainer transfer enabled a malicious dependency to be added to the event-stream npm package dependency tree, targeting downstream cryptocurrency wallet software.
Executive Summary
The event-stream incident turned a maintainer-transfer path into a malicious dependency insertion path for an npm package with downstream cryptocurrency-wallet exposure.
Threatpedia models this case as package publishing through the npm ecosystem, with event-stream and flatmap-stream preserved as separate package entities.
Timeline
-
Dependency path changes before disclosure
The corpus records first observed activity before public disclosure, reflecting the period in which the malicious dependency path existed before community triage.
-
Public issue documents the compromise
The public GitHub issue became the primary reference for the package-maintenance transfer and malicious dependency discussion.
Attack Chain
-
Maintainer transfer
The incident began with a maintainer-transfer path that changed who could influence the package dependency tree.
-
Malicious dependency insertion
The malicious package flatmap-stream entered the event-stream dependency path and became the payload-bearing component in the corpus model.
-
Downstream targeting
The corpus records credential and cryptocurrency-theft impact categories because the dependency path was tied to downstream wallet exposure.
Affected Ecosystem
The affected ecosystem is npm, with event-stream as the trusted upstream package and flatmap-stream as the malicious dependency component.
Defensive Lessons
High-impact package transfers should be treated as supply-chain events because maintainer authority can change dependency risk without changing the package name.
Dependency review should include newly introduced transitive packages, especially when a previously trusted package changes maintainership or dependency structure.
Detection Notes
Useful detection pivots include the event-stream and flatmap-stream package names, npm registry publication paths, and dependency tree changes around the disclosure window.
Open Questions
The corpus preserves the package and maintainer entities but does not expand this record into actor attribution.
Affected Packages
Affected Releases
- flatmap-stream@0.1.1 pkg:npm/flatmap-stream@0.1.1 · published 2018-09-09 Release
Repositories
Organizations
No structured records.
Maintainers
Threat Actors
No structured records.
Campaigns
No structured records.
Build Systems
No structured records.
Distribution Channels
- npm registry
Compromised Accounts
No structured records.
Connected Entities
- Dominic Tarr Maintainer
- dominictarr/event-stream Repository
- event-stream Package
- flatmap-stream Package
- flatmap-stream@0.1.1 Release
- npm registry Distribution Channel
- right9ctrl Maintainer
Tenure At Malicious Release
| Maintainer | Anchor | Release | Elapsed |
|---|---|---|---|
| right9ctrl | First Publish · 2018-09-09 | pkg:npm/flatmap-stream@0.1.1 published 2018-09-09 | 0 days |
References
- I don't have time to maintain this package GitHub · 2018-11-26