/plushcap/analysis/snyk/snyk-a-post-mortem-of-the-malicious-event-stream-backdoor

A post-mortem of the malicious event-stream backdoor

What's this blog post about?

A malicious package, flatmap-stream, was published to npm and later added as a dependency to the widely used event-stream package by user right9ctrl. The event-stream package is a toolkit that provides utilities to creating and managing streams. Some time, and 8 million downloads later, applications all over the web were unwittingly running malicious code in production. This incident highlights the fragility of the open-source model if not respected and the need for responsible disclosure and security research as part of the development process.

Company
Snyk

Date published
Dec. 6, 2018

Author(s)
Danny Grander, Liran Tal

Word count
1470

Hacker News points
None found.

Language
English


By Matt Makai. 2021-2024.