A post-mortem of the malicious event-stream backdoor
A malicious package, flatmap-stream, was published to npm and later added as a dependency to the widely used event-stream package by user right9ctrl. The event-stream package is a toolkit that provides utilities to creating and managing streams. Some time, and 8 million downloads later, applications all over the web were unwittingly running malicious code in production. This incident highlights the fragility of the open-source model if not respected and the need for responsible disclosure and security research as part of the development process.
Company
Snyk
Date published
Dec. 6, 2018
Author(s)
Danny Grander, Liran Tal
Word count
1470
Hacker News points
None found.
Language
English