NPM event-stream incident

There has been a security issue with npm package event-stream

What happened?

Original issue: dominictarr/event-stream#116 (comment)
Semantic issue: Semantic-Org/Semantic-UI#6687

The library dependency flatmap-stream of event-stream which is used by some popular packages (e.g. nodemon) had a malicious code in it. That code try to steal crypto currencies, so if we are not saving them or mining we should not have any problem, however I strongly recommend you to fix it.

Is my project infected?

When we run the following command ‘npm ls event-stream flatmap-stream‘ and if we find flatmap-stream@0.0.1 or a lower version of event-stream@3.3.4 it is probably that our project is infected.

How to fix?

Please update event-stream to version 3.3.4:

By this time fixes are being deployed and npm has yanked the malicious version. Ensure that the developer(s) of the package you are using are aware of this post. If you are a developer update your event-stream dependency to event-stream@3.3.4. This protects people with cached versions of event-stream.

We could simply delete the node_modules folders and re-run npm install or re-install the infected package that we found in the previous step.

It is also important to check and fix the global packages.

Fixing nodemon, vue, angular/cli, react

Since all of them are installed globally, we could re-install it easily with the following commands:


I hope that this was helpful to you!

Leave a Reply