dependencia flatmap-stream@0.1.0 no pacote event-stream@3.3.6 com falha de segurança

[luizhj]

"Check your repos... Crypto-coin-stealing code sneaks into fairly popular NPM lib (2m downloads per week)
https://www.theregister.co.uk/2018/11/26/npm_repo_bitcoin_stealer/

on September 9, right9control added flatmap-stream as a dependency to event-stream, and then on September 16, removed the dependency by implementing the code themselves. However, this latter change was not automatically pushed out to the library's users. On October 5, flatmap-stream was altered by a user called "hugeglass" to include obfuscated code that attempted to drain Bitcoins from wallets using the software.

Thus, anyone using event-stream and pulling in the cursed flatmap-stream, rather than the rewritten code, since October 5 would be potentially hit by the malicious script. The offending code has been removed from event-stream. If it's any relief, the hidden malware is highly targeted, and not designed to attack every programmer or application using event-stream.
"