tldr;

Holy cow! It turns out that the event-stream package had a vulnerability that allowed a hacker to steal bitcoin.

tldr;

天啊！事实证明，事件流包存在允许黑客窃取比特币的漏洞。

To fix it you need to update your event-streampackage.

要修复它，您需要更新您的event-stream软件包。

1. Delete the node_modulesfolder.
2. Delete the package-lock.jsonfile.
3. Run npm install.

1. 删除node_modules文件夹。
2. 删除package-lock.json文件。
3. 运行npm install。

This should update your packages to a safe version and you should be good to go.

这应该将您的软件包更新到安全版本，您应该很高兴。

And here is the official response from the NPM blog:

这是 NPM 博客的官方回复：

Details about the event-stream incident This is an analysis of the event-stream incident of which many of you became aware earlier this week. npm acts immediately to address operational concerns and issues that affect the safety of our community, but we typically perform more thorough analysis before discussing incidents—we know you've been waiting.

On the morning of November 26th, npm's security team was notified of a malicious package that had made its way into event-stream, a popular npm package. After triaging the malware, npm Security responded by removing flatmap-stream and [email protected] from the Registry and taking ownership of the event-stream package to prevent further abuse.

The malicious package was version 0.1.1 of flatmap-stream. This package was added as a direct dependency of the event-stream package by a new maintainer on September 9, 2018, in version 3.3.6. The event-stream package is widely used, but the malicious code targeted developers at a company that had a very specific development environment setup: running the payload in any other environment has no effect. This specific targeting means that, ultimately, most developers would not be affected even if they had mistakenly installed the malicious module.

The injected code targets the Copay application. When a developer at Copay runs one of their release build scripts, the resulting code is modified before being bundled into the application. The code was designed to harvest account details and private keys from accounts having a balance of more than 100 Bitcoin or 1000 Bitcoin Cash.

Copay's initial response was that that no builds containing this malicious code were released to the public, but we now have confirmation from Copay that “the malicious code was deployed on versions 5.0.2 through 5.1.0.”

The attack This attack started out as a social engineering attack. The attacker, posing as a maintainer, took over maintainership of the event-stream module.

The technical details Here are some technical details that we know about, for those of you interested in this.

The injected code:

Read in AES encrypted data from a file disguised as a test fixture Grabbed the npm package description of the module that imported it, using an automatically set environment variable Used the package description as a key to decrypt a chunk of data pulled in from the disguised file The decrypted data was part of a module, which was then compiled in memory and executed.

This module performed the following actions:

Decrypted another chunk of data from the disguised file Concatenated a small, commented prefix from the first decrypted chunk to the end of the second decrypted chunk Performed minor decoding tasks to transform the concatenated block of code from invalid JS to valid JS (we believe this was done to evade detection by dynamic analysis tools) Wrote this processed block of JS out to a file stored in a dependency that would be packaged by the build scripts: The chunk of code that was written out was the actual malicious code, intended to be run on devices owned by the end users of Copay.

This code would do the following:

Detect the current environment: Mobile/Cordova/Electron Check the Bitcoin and Bitcoin Cash balances on the victim's copay account If the current balance was greater than 100 Bitcoin, or 1000 Bitcoin Cash: Harvest the victim's account data in full Harvest the victim's copay private keys Send the victim's account data/private keys off to a collection service running on 111.90.151.134. For users of the Copay app, bitpay recommends, “If you are using any version from 5.0.2 to 5.1.0, you should not run or open the Copay app.”

For npm users, you can check if your project contains the vulnerable dependency by running npm audit. If you have installed the impacted version of this event-stream, we recommend that you update to a later version as soon as possible.

关于事件流事件的详细信息 这是对本周早些时候你们中的许多人意识到的事件流事件的分析。npm 会立即采取行动解决影响我们社区安全的运营问题和问题，但我们通常会在讨论事件之前进行更彻底的分析——我们知道您一直在等待。

11 月 26 日上午，npm 的安全团队收到了一个恶意包的通知，该包已进入流行的 npm 包 event-stream。在对恶意软件进行分类后，npm Security 通过从注册表中删除 flatmap-stream 和 [email protected] 并取得 event-stream 包的所有权来防止进一步滥用。

恶意包是 flatmap-stream 的 0.1.1 版本。新维护者于 2018 年 9 月 9 日在版本 3.3.6 中添加了此包作为 event-stream 包的直接依赖项。事件流包被广泛使用，但恶意代码针对的是一家具有非常具体的开发环境设置的公司的开发人员：在任何其他环境中运行有效负载都没有效果。这种特定的目标意味着最终大多数开发人员即使错误安装了恶意模块也不会受到影响。

注入的代码针对 Copay 应用程序。当 Copay 的开发人员运行其发布构建脚本之一时，生成的代码会在捆绑到应用程序之前进行修改。该代码旨在从余额超过 100 比特币或 1000 比特币现金的账户中获取账户详细信息和私钥。

Copay 最初的回应是没有向公众发布包含此恶意代码的构建版本，但我们现在从 Copay 确认“恶意代码部署在 5.0.2 到 5.1.0 版本上”。

攻击 此攻击最初是一次社会工程攻击。冒充维护者的攻击者接管了事件流模块的维护权。

技术细节 以下是我们了解的一些技术细节，供对此感兴趣的人参考。

注入的代码：

从伪装成测试装置的文件中读取 AES 加密数据使用自动设置的环境变量获取导入它的模块的 npm 包描述使用包描述作为解密从伪装文件中提取的数据块的密钥解密后的数据是一个模块的一部分，然后在内存中编译并执行。

该模块执行了以下操作：

从伪装文件中解密另一块数据 从第一个解密的块到第二个解密的块的末尾连接一个小的注释前缀 执行小的解码任务将连接的代码块从无效的 JS 转换为有效的 JS（我们认为这是这样做是为了逃避动态分析工具的检测）将这个处理过的 JS 块写到一个存储在依赖项中的文件中，该文件将由构建脚本打包：写出的代码块是实际的恶意代码，旨在运行在 Copay 最终用户拥有的设备上。

此代码将执行以下操作：

检测当前环境：Mobile/Cordova/Electron 检查受害者共付账户上的比特币和比特币现金余额 如果当前余额大于 100 个比特币或 1000 个比特币现金： 完整收集受害者的账户数据 收集受害者的共付私钥将受害者的帐户数据/私钥发送到在 111.90.151.134 上运行的收集服务。对于 Copay 应用程序的用户，bitpay 建议，“如果您使用的是 5.0.2 到 5.1.0 之间的任何版本，则不应运行或打开 Copay 应用程序。”

对于 npm 用户，您可以通过运行 npm audit 来检查您的项目是否包含易受攻击的依赖项。如果您安装了此事件流的受影响版本，我们建议您尽快更新到更高版本。

Actually we don't need to update all the packages that depends on [email protected].

其实我们不需要更新所有依赖 [email protected] 的包。

You can open the package-lock.json, remove all the event-stream references and call npm installagain. It will be faster.

您可以打开package-lock.json，删除所有事件流引用并npm install再次调用。它会更快。

After that, npm shrinkwrap && mv npm-shrinwrap.json package-lock.jsonshould update just the event-stream references and not the whole file

之后，npm shrinkwrap && mv npm-shrinwrap.json package-lock.json应该只更新事件流引用而不是整个文件

Follow below methods :

遵循以下方法：

1. Delete node_modules and package_lock.json files

2. Run npm list event-stream

3. Run npm audit
4. Run npm cache verify
5. Run npm install
6. Run git add . (add required files)
7. Run git commit (commit your changes)
8. Run git push (Push your code)

1. 删除 node_modules 和 package_lock.json 文件

2. 运行 npm list event-stream

3. 运行 npm 审计
4. 运行 npm 缓存验证
5. 运行 npm 安装
6. 运行 git add 。（添加所需文件）
7. 运行 git commit（提交您的更改）
8. 运行 git push （推送你的代码）

I solve this problem by the following steps:

我通过以下步骤解决了这个问题：

1. open your latest log for this error in /node_cache/_logs/xxxx-xx-xxx-debug.log
2. find out the root of event-streamleaf, for example:

1. 在 /node_cache/_logs/xxxx-xx-xxx-debug.log 中打开此错误的最新日志
2. 找出event-stream叶子的根 ，例如：

    45 silly saveTree +-- [email protected]
    45 silly saveTree | +-- [email protected]
    45 silly saveTree | +-- [email protected]
    45 silly saveTree | | `-- [email protected]
    45 silly saveTree | |   `-- [email protected]
    45 silly saveTree | |     +-- [email protected]
    45 silly saveTree | |     +-- [email protected]
    45 silly saveTree | |     +-- [email protected]
    45 silly saveTree | |     `-- [email protected]

1. in this case, the root is nodemon, so you can fix by: npm install [email protected]
2. npm install successfully now

3. 在这种情况下，root 是 nodemon，因此您可以通过以下方式修复： npm install [email protected]
4. 现在 npm 安装成功

I've updated npm-run-all from 4.1.3 to 4.1.5 in package.json (remove in the lock file event stream) Then npm install.

我已经将 package.json 中的 npm-run-all 从 4.1.3 更新到 4.1.5（在锁定文件事件流中删除）然后 npm install。

As mentioned in the comments, the underlying issue was the package-lock.json(the lockfile) contained a deprecated package. Deleting the lockfile and re-installing the dependencies resolved the issue.

正如评论中提到的，潜在的问题是package-lock.json（锁文件）包含一个已弃用的包。删除锁定文件并重新安装依赖项解决了该问题。

The fastest way to do this is these 2 steps:

最快的方法是以下两个步骤：

• delete the package-lock.jsonfile
• type npm i(or npm install) to re-install dependencies

• 删除package-lock.json文件
• 键入npm i（或npm install）重新安装依赖项