A few months ago a clever attack was introduced in the event-stream npm package. It’s been explained in detail here, but let me sum it up in TL;DR form here for anybody who hasn’t been paying attention:
1. In September 2018 the attacker approached the maintainer of a fairly popular npm package and offered to take over maintenance duties – the maintainer agreed and gave the attacker rights to their GitHub and npm accounts for the package.
2. The attacker made some innocuous commits, including referencing a new dependency. This dependency had a hidden, obfuscated bit of code that pulled in yet another file which contained an array of encrypted strings.
3. At runtime, the strings were decrypted using information from the consuming package. If it wasn’t the targeted package, it would error but the error was caught and ignored.
4. It turns out, the targeted package was copay-dash, a bitcoin wallet platform, and the code would try to steal the contents of the bitcoin wallet (which might belong to you the developer, or to one of your users in your system that happened to use this library).
Of course, we saw this coming – here’s another write-up from January 2018 describing just this kind of attack. The event-stream attack won’t be the last, and it’s likely right now there are other bits of malicious code in wide use in existing npm packages that are as yet undetected.