{"id":52894,"date":"2018-11-28T03:33:20","date_gmt":"2018-11-28T03:33:20","guid":{"rendered":"https:\/\/devblogs.microsoft.com\/devops\/?p=52894"},"modified":"2019-02-14T15:48:13","modified_gmt":"2019-02-14T23:48:13","slug":"blocking-malicious-event-stream-and-flatmap-stream-packages","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/devops\/blocking-malicious-event-stream-and-flatmap-stream-packages\/","title":{"rendered":"Blocking malicious event-stream and flatmap-stream packages"},"content":{"rendered":"

On November 26, 2018, the npm package manager released security advisory 737<\/a> regarding the flatmap-stream<\/strong> package. It was determined that this package was malicious, and contained harmful code. In addition, the popular event-stream <\/strong>package was modified to make use of the harmful flatmap-stream package.<\/p>\n

These malicious packages were apparently attempting to locate bitcoin wallets stored on the computer running the packages and exfiltrate the coins. npm has removed the flatmap-stream package from their registry. Visual Studio Code has also taken steps to block affected extensions<\/a>.<\/p>\n

In response to this incident, we changed Azure DevOps to block the harmful flatmap-stream <\/strong>package versions 0.1.0, 0.1.1, and 0.1.2 and event-stream<\/strong> package version 3.3.6<\/strong> which makes use of the flatmap-stream package. This matches what npm package manager has done.<\/p>\n

We will also be contacting customers whose feeds contain the malicious packages. After deploying the block, you will not be able to download these packages or publish them to Azure DevOps.<\/p>\n

The safest approach with event-stream is to remain on version 3.3.4.<\/p>\n

UPDATE<\/strong>: We’ve deployed the block.<\/p>\n

UPDATE 2<\/strong>: I’ve updated the versions blocked, which are the same as what npm has done.<\/p>\n","protected":false},"excerpt":{"rendered":"

We are making a change to Azure DevOps to block the harmful flatmap-stream 0.1.0 package and the versions of event-stream newer than version 3.3.4 which make use of the flatmap-stream package.<\/p>\n","protected":false},"author":94,"featured_media":45953,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[229,249],"tags":[],"class_list":["post-52894","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-community","category-open-source"],"acf":[],"blog_post_summary":"

We are making a change to Azure DevOps to block the harmful flatmap-stream 0.1.0 package and the versions of event-stream newer than version 3.3.4 which make use of the flatmap-stream package.<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/posts\/52894","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/users\/94"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/comments?post=52894"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/posts\/52894\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/media\/45953"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/media?parent=52894"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/categories?post=52894"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/tags?post=52894"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}