Compromised npm “event-stream” and “flatmap-stream” packages lead to supply chain attack

For the past week security researchers have been pouring over strange encrypted source code that was inserted into a popular npm module named “event-stream”. This source code has been decrypted and determined to be code designed to target the “copay” cryptocurrency wallet in order to steal money from individuals with high balances in their account.

Found by chance by a developer examining a build warning, this malicious code was inserted a few months ago, possibly by a new maintainer for the project. The code is designed to be triggered only when certain conditions are met, though it is installed on thousands of machines and reported to be used in millions of builds per week.

Supply chain attacks like this are becoming more prevalent since it is beyond most organization’s ability to audit and review all source of their third party dependencies. It is important to keep a current software Bill of Materials (BOM) in order to quickly respond to announcements of this type.

For more information and background, check out the Github issue discussion at



Category: General