Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

package removed from npm #2

Open
borisdayma opened this issue Nov 26, 2018 · 16 comments
Open

package removed from npm #2

borisdayma opened this issue Nov 26, 2018 · 16 comments

Comments

@borisdayma
Copy link

It seems the package cannot be installed anymore from npm.

When running npm view flatmap-stream versions --json, I get:

{
  "error": {
    "code": "E404",
    "summary": "Unpublished by npm-support on 2018-11-26T17:18:17.658Z",
    "detail": "\n 'flatmap-stream' is not in the npm registry.\nYou should bug the author to publish it (or use the name yourself!)\n\nNote that you can also install from a\ntarball, folder, http url, or git url."
  }
}
@andersonsantos
Copy link

Yes! This isn't a safe package! You can check it here:
dominictarr/event-stream#116

@borisdayma
Copy link
Author

borisdayma commented Nov 26, 2018
edited
Loading

Thanks, I got the issue when installing @vue/cli.
An issue has now been filed directly on that package: vuejs/vue-cli#3013

Closed
@leif
Copy link

leif commented Nov 26, 2018

see https://github.com/bitpay/copay/issues/9346 and dominictarr/event-stream#116 for information about why this was removed

@tangxiangmin
Copy link

use npm ls event-stream flatmap-stream to check if the package is installed.

@earthday
Copy link

I met this issue when using jest-puppeteer

-- jest-puppeteer@3.5.1
  `-- jest-environment-puppeteer@3.5.1
    `-- jest-dev-server@3.5.1
      `-- terminate@2.1.0
        `-- ps-tree@1.1.0
          `-- event-stream@3.3.6
            `-- flatmap-stream@0.1.2

@igibek
Copy link

igibek commented Nov 27, 2018

where I can find flatmap-stream@0.1.1? I know that it is malicious. I need it to reverse engineer.

@vladkras
Copy link

@igibek https://unpkg.com/flatmap-stream@0.1.1/index.min.js

@Art4
Copy link

Art4 commented Nov 27, 2018

@igibek

https://unpkg.com/flatmap-stream@0.1.1/index.min.js
https://unpkg.com/flatmap-stream@0.1.1/perf-test.js
https://unpkg.com/flatmap-stream@0.1.1/test/data.js

@BennyAlex
Copy link

What is the malicious Code exactly? Coulnt find anything... Just out of interest

@EvanDarwin
Copy link

@BennyAlex It's incredibly well obfuscated. It's the entire index.min.js file.

@naiieandrade
Copy link

Hey, do you know another package similar to flatmap-stream? Because we are using in a project.

@ktvo68
Copy link

ktvo68 commented Nov 30, 2018

FYI, my Sophos software caught and removed this trojan when I tried to run my nodejs/express app locally. Phew!!!

This was referenced Nov 30, 2018
Closed
Closed
@Jibec Jibec mentioned this issue Nov 30, 2018
Closed
@kiwenlau
Copy link

kiwenlau commented Dec 1, 2018

@Art4 data.js is not found

@Art4
Copy link

Art4 commented Dec 1, 2018

The code was removed. You can read everything about this malware in this blogpost
https://schneid.io/blog/event-stream-vulnerability-explained/

@artemv
Copy link

artemv commented Dec 5, 2018

FYI, my Sophos software caught and removed this trojan when I tried to run my nodejs/express app locally. Phew!!!

@ktvo68 that was good job for Sophos considering that your app was probably not a copay/copay-dash fork with the same package description. Wonder when did the Sophos catch happen?

@EvanDarwin
Copy link

@artemv The index.min.js file's hash is flagged as known malware, most (good) AVs should now block it.

@todrobbins todrobbins mentioned this issue Apr 26, 2019
Closed
@david-pfx david-pfx mentioned this issue Jun 17, 2019
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests