
A Deep Dive into the Compromised NPM Package: event-stream - yarapavan
https://medium.com/intrinsic/compromised-npm-package-event-stream-d47d08605502
======
yarapavan
The attack could have been prevented by making use of CSP (Content Security
Policy). This is a standard for specifying which URLs a webpage can
communicate with and is specified via web server headers. Cordova even has its
own mechanism for specifying which third party services can be contacted.
However, the Copay application appears to have disabled this feature.

