Cryptocurrency-Stealing Code Distributed via Popular Library

The popular EventStream Node.js library was recently modified to fetch malicious code designed to steal crypto-currencies. Designed as a toolkit to make creating and working with streams easy, the JavaScript package has around two million downloads a week, which makes it a valuable resource to application developers and malicious actors alike. The code library was designed by a Dominic Tarr, who says he hasn’t been using it for years. However, he apparently agreed to transfer the module to another user in September 2018, who modified the library’s dependencies, which eventually resulted in malicious code being delivered to users. On September 9, the repository’s new maintainer, right9ctrl, added the flatmap-stream library as a dependency of event-stream, but then removed it on September 16, when they also pushed a new version of event-stream, Chris Northwood explains on Medium.