Compromised npm Package: event-stream

Visit the original version of this article on Medium.

Yesterday I published an article on the Intrinsic blog on the recently compromised npm package, event-stream. Here's a quick excerpt from the article:

Ownership of a popular npm package, event-stream, was transferred by the original author to a malicious user, right9ctrl. This package receives over 1.5mm weekly downloads and is depended on by nearly 1,600 other packages. The malicious user was able to gain the trust of the original author by making a series of meaningful contributions to the package. The first publish of this package by the malicious user occurred on September 4th, 2018.

To view the whole thing check out Compromised npm Package: event-stream.

Also, this morning, I was interviewed as part of the DevSecOps Days podcast. Take a listen to the episode over at event-stream: Analysis of a Compromised npm Package

Thomas Hunter II Avatar

Thomas is the author of Advanced Microservices and is a prolific public speaker with a passion for reducing complex problems into simple language and diagrams. His career includes working at Fortune 50's in the Midwest, co-founding a successful startup, and everything in between.