event-stream npm — maintainer takeover supply-chain attack
A legitimate npm maintainer gave control of the popular `event-stream` package to a stranger who asked politely. The new maintainer added a cryptocurrency-stealing backdoor targeted at the Copay Bitcoin wallet.
What happened
The original maintainer of event-stream no longer used the library and transferred ownership to a volunteer. The volunteer pushed a patch adding a dependency named `flatmap-stream`. That dependency was initially benign but was updated ten days later to include a targeted backdoor that stole wallet keys from Copay users.
Timeline
Original maintainer transfers package to new maintainer 'right9ctrl'.
New maintainer publishes patch adding flatmap-stream dep.
flatmap-stream updated to include the backdoor.
Backdoor discovered via a deprecation warning in an unrelated library.
Root cause
Maintainer-takeover of a widely-used OSS package via trust-based handoff with no verification. The backdoor was targeted, so most event-stream consumers saw no symptoms; only Copay wallet users were attacked.
Impact
- Targeted theft of cryptocurrency wallet keys
- ~8 million weekly downloads of the poisoned package
- Industry-level policy change around OSS maintainer transitions
Today: yes. Securie's maintainer-reputation scanner flags sudden transfers + new contributor patterns + anomalous dependency additions. In 2018 no tool caught it pre-discovery.
Lessons
- Maintainer handoffs need verification, not just a GitHub invite
- Newly-added dependencies deserve scrutiny
- Pin + review transitive deps; do not trust the registry blindly