Compromised npm Package: event-stream
Yesterday I published an article on the Intrinsic blog on the recently compromised npm package,
event-stream. Here's a quick excerpt from the article:
Ownership of a popular npm package,
event-stream, was transferred by the original author to a malicious user,
right9ctrl. This package receives over 1.5mm weekly downloads and is depended on by nearly 1,600 other packages. The malicious user was able to gain the trust of the original author by making a series of meaningful contributions to the package. The first publish of this package by the malicious user occurred on September 4th, 2018.
To view the whole thing check out Compromised npm Package: event-stream.
Also, this morning, I was interviewed as part of the DevSecOps Days podcast. Take a listen to the episode over at event-stream: Analysis of a Compromised npm Package