Warn HN: Malicious Package on NPM - check if you're affected

2 points

8 years ago

Hi HN, As a user of OnsenUI, I came across something bizarre today. Running `npm install` lead to a warning and on further investigating, revealed there was a malicious package stuck inside my installation.

Running `npm audit` showed the following info:

Critical: Malicious Package Package: flatmap-stream Patched in: No patch available Dependency of: onsenui Path: onsenui > gulp-protractor > event-stream > flatmap-stream More info: https://nodesecurity.io/advisories/737

What exactly happened? Apparently the maintainer of `flatmap-stream` gave write access to his repo to a random guy claiming to want to maintain the package. Both of them have been rid off write access as of now.

I have since reported this issue to OnsenUI community: https://github.com/OnsenUI/OnsenUI/issues/2592

If you're using this in production, please watch out.

More details on here: https://github.com/dominictarr/event-stream/issues/116

P.S - this applies to anyone who uses packages that use `flatmap-stream`, not just OnsenUI.

To find out if you're affected, run `npm audit`.