A malicious package, flatmap-stream, was published to npm and later added as a dependency to the widely used event-stream package by user right9ctrl. The event-stream package is a toolkit that provides utilities to creating and managing streams. Some time, and 8 million downloads later, applications all over the web were unwittingly running malicious code in production. This incident highlights the fragility of the open-source model if not respected and the need for responsible disclosure and security research as part of the development process.