Issue
On November 26th, npm was notified of a malicious package that had made its way into event-stream
, a popular npm package. After triaging the malware, npm responded by removing flatmap-stream
and event-stream@3.3.6
from the Registry and taking ownership of the event-stream package to prevent further abuse. Now builds which specify either of these packages as dependencies will get errors when trying to install compromised versions.
Full details of this incident can be found on the npm blog - https://blog.npmjs.org/post/180565383195/details-about-the-event-stream-incident
Resolution
To resolve this you must upgrade your dependencies to ensure you are not using the compromised package. If you are using it, you should update your event-stream
dependency to event-stream@3.3.4
a new, uncompromised flatmap-stream
package has also been added to npm - https://www.npmjs.com/package/flatmap-stream
While it is better to update the specific dependencies that depended on the compromised package, you can also resolve this by deleting and regenerating your package-lock.json
and yarn.lock
files.