Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTl4NjQtNXI3eC0ycTUz

Malicious Package in flatmap-stream

Version 0.1.1 of flatmap-stream is considered malicious.

This module runs an encrypted payload targeting a very specific application, copay and because they shared the same description it would have likely worked for copay-dash.

The injected code:

The decrypted data was part of a module, which was then compiled in memory and executed.

This module performed the following actions:

The chunk of code that was written out was the actual malicious code, intended to be run on devices owned by the end users of Copay.

This code would do the following:

Recommendation

If you find this module in your environment it's best to remove it. The malicious version of event-stream and flatmap-stream have been removed from the npm Registry.

Permalink: https://github.com/advisories/GHSA-9x64-5r7x-2q53
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTl4NjQtNXI3eC0ycTUz
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: almost 4 years ago
Updated: over 1 year ago


CVSS Score: 9.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Identifiers: GHSA-9x64-5r7x-2q53
References: Repository: https://github.com/dominictarr/event-stream
Blast Radius: 39.4

Affected Packages

npm:flatmap-stream
Dependent packages: 3
Dependent repositories: 10,549
Downloads: 35 last month
Affected Version Ranges: = 0.1.1
No known fixed version
All affected versions: