Severity: critical

Malicious Package



Version 0.1.1 of flatmap-stream is considered malicious.

This module runs an encrypted payload targeting a very specific application, copay and because they shared the same description it would have likely worked for copay-dash.

The injected code:

  • Read in AES encrypted data from a file disguised as a test fixture
  • Grabbed the npm package description of the module that imported it, using an automatically set environment variable
  • Used the package description as a key to decrypt a chunk of data pulled in from the disguised file

The decrypted data was part of a module, which was then compiled in memory and executed.

This module performed the following actions:

  • Decrypted another chunk of data from the disguised file
  • Concatenated a small, commented prefix from the first decrypted chunk to the end of the second decrypted chunk
  • Performed minor decoding tasks to transform the concatenated block of code from invalid JS to valid JS (we believe this was done to evade detection by dynamic analysis tools)
  • Wrote this processed block of JS out to a file stored in a dependency that would be packaged by the build scripts:

The chunk of code that was written out was the actual malicious code, intended to be run on devices owned by the end users of Copay.

This code would do the following:

  • Detect the current environment: Mobile/Cordova/Electron
  • Check the Bitcoin and Bitcoin Cash balances on the victim's copay account
  • If the current balance was greater than 100 Bitcoin, or 1000 Bitcoin Cash:
    • Harvest the victim's account data in full
    • Harvest the victim's copay private keys
    • Send the victim's account data/private keys off to a collection


If you find this module in your environment it's best to remove it. The malicious version of event-stream and flatmap-stream have been removed from the npm Registry.

Have content suggestions? Send them to [email protected]

Advisory timeline

  1. Created

  2. Updated