The event-stream incident and the Atom team's response


#1

As reported this week, a person socially-engineered the takeover of the Node event-stream package and injected code that, through a series of detailed steps targeted at a very specific environment, tries to steal an end-user’s bitcoin wallet. The Atom team has completed our investigation into whether any repository in the atom organization uses or includes the compromised version of the package. We wanted to document what we did so that people using Atom or any of the code in our organization can understand if they might have been affected and how.

In our investigation, the only repository that referenced flatmap-stream was https://github.com/atom/flight-manual.atom.io. But it never referenced the malicious version of that package and would not affect users of the Flight Manual website hosted at https://flight-manual.atom.io. People who locally compiled the Atom Flight Manual could be affected if they manually updated to use the malicious version of flatmap-stream, v0.1.1.

Summary

  1. If you’re a normal user of Atom, this security vulnerability does not affect you
  2. If you use the https://flight-manual.atom.io website, this security vulnerability does not affect you
  3. If you develop content for the https://flight-manual.atom.io website AND have tested those changes locally recently AND use crypto-currency wallets from that same machine, this security vulnerability might affect you

If you have any questions, please post here or contact the team by email at atom@github.com. You can also read the detailed analysis from the npm team.


Removing a trojan infected node module
#2

#3

Hi, yesterday my antivirus (kaspersky Internet security) flagged a piece of Atom as HEUR:Trojan.Script.generic. Here’s the relevant chunk of the file path.

.atom\packages\latex\node_modules\flatmap-stream\test

This seems to be the same vulnerability, but I’m perplexed, because I am certainly a normal user and should thus fall into the unaffected category. To my knowledge, I’ve never compiled the flight manual manually. I’ve only ever accessed it from the website. What’s going on here? Should I delete the file from kaspersky’s quarantine?


#4

Thanks @Digital_ecologist, that is in a community package and I’ve made a PR to fix it. The announcement here is about core Atom that is maintained by GitHub.

Sorry for letting this slip, and thanks again for letting us know.


#5

Thanks for the clarification, I deleted the script from quarantine, and all seems to be well now.


#6

Hello.
(cc: @DamnedScholar, @morassman)

There is a package that is very popular on this forum that seems to be effected. The issue that is active is:

A search through my computer identified this package for Atom as well as Powershell on vsCode.

My question - what steps can users like me take to get rid of rogue code such as this, when it happens? For example, process-palette may be effected, how do I update the node package dependency to an unaffected version?

Best regards.


#7

The NPM report gives us the answer:

If you find this module in your environment it’s best to remove it. The malicious version of event-stream and flatmap-stream have been removed from the npm Registry.

You can delete the node_modules/ directory entirely and run npm install to rebuild the dependencies, or you can delete the flatmap-stream/ folder and reinstall that package by itself. Since the malicious version is removed, the package manager will give you the good code.


Removing a trojan infected node module