On November 26, 2018, the npm package manager released security advisory 737 regarding the flatmap-stream package. It was determined that this package was malicious, and contained harmful code. In addition, the popular event-stream package was modified to make use of the harmful flatmap-stream package.
These malicious packages were apparently attempting to locate bitcoin wallets stored on the computer running the packages and exfiltrate the coins. npm has removed the flatmap-stream package from their registry. Visual Studio Code has also taken steps to block affected extensions.
In response to this incident, we changed Azure DevOps to block the harmful flatmap-stream 0.1.0 package and the versions of event-stream newer than version 3.3.4 which make use of the flatmap-stream package.
We will also be contacting customers whose feeds contain the malicious packages. After deploying the block, you will not be able to download these packages or publish them to Azure DevOps.
Version 3.3.4 of event-stream, and versions prior to that, were not affected by this security advisory and have not been blocked. We advise users of the event-stream package to ensure that they remain on version 3.3.4.
We will provide an update when the packages have been blocked in Azure DevOps.
UPDATE: We’ve deployed the block.