
Details about the event-stream incident - robin_reala
https://blog.npmjs.org/post/180565383195/details-about-the-event-stream-incident
======
tdumitrescu
Yowza, very targeted: "The injected code targets the Copay application. When a
developer at Copay runs one of their release build scripts, the resulting code
is modified before being bundled into the application. The code was designed
to harvest account details and private keys from accounts having a balance of
more than 100 Bitcoin or 1000 Bitcoin Cash."

------
th3iedkid
Has something like this happened with any java packages like in Maven-Central
or even Eclipse managed repos ?

------
mdekkers
_This attack started out as a social engineering attack. The attacker, posing
as a maintainer, took over maintainership of the event-stream module._

How is this even possible? Shouldn't repo's like this have some serious
security measures in place?

~~~
robin_reala
The owner didn’t want to maintain it and gave it to the attacker when they
asked.

