event-stream backdoor (npm, 2018)
Part of Dependencies & Hygiene, which counts for 10% of the overall score. When this check fires it deducts 25 points from that category, once per scan, no matter how many places it turns up.
What it detects
Flags a manifest pin of event-stream@3.3.6, the release that shipped the flatmap-stream backdoor targeting the Copay Bitcoin wallet.
Why it matters
event-stream 3.3.6 is the exact release where a new "maintainer" (who had gained publish access through social engineering) added a dependency, flatmap-stream, containing a backdoor that targeted the Copay Bitcoin wallet app to steal private keys. Anyone who installed that version, even transitively, pulled the backdoor onto their machine or build server. It is one of the first widely-documented cases of a targeted npm supply-chain attack. This check is a small, hand-picked list of known, historically-significant incidents, not a live CVE feed -- for continuous CVE monitoring, run a dedicated SCA tool (npm audit, pip-audit, OWASP Dependency-Check, Snyk, or similar) against your resolved dependency tree.
How to fix it
Remove the pin on event-stream 3.3.6 immediately. The package has been unpublished/deprecated for years, so any current use should come from an old lockfile; delete it and let your package manager resolve a maintained alternative (or remove the dependency chain entirely if it was only ever transitive). Rotate any secrets that were ever present on a machine that installed the affected version.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo