npm Fiasco. Malware that Steals Bitcoin

By Xah Lee. Date: 2018-12-28. Last updated: 2023-04-29.

2018-11-27

npm flatmap-stream malware

2018-11-27 npm's fiasco. A malware that steals bitcoin, hidden in a package named flatmap-stream. It's used by Angular, Vue, Bootstrap. Basically all websites you visit use it. The npm malware has been downloaded 8 million times

From the few incidents i've seen over the years, i find the npm's leader, Isaac Z Schlueter to be a power hungry skum. And JavaScript coders tend to be milengen idiots that r pillar of the sjw stuff in programing community. Also, in js land, 5 lines of code is a package. 〔see npm Disease (2021)〕

You wonder, why in JavaScript land 5 lines is a package? I haven't looked in depth, but i think:

JavaScript is really bad lang and no standard libraries.
New gen of programers is a lot less capable, since ~2010.
Npm leader Isaac Z Schlueter designed the rules to max npm popularity.

npm repo bitcoin stealer 2018-11 — Node.js package tried to plunder Bitcoin wallets 2018-11-26 By Thomas Claburn. At https://www.theregister.co.uk/2018/11/26/npm_repo_bitcoin_stealer/

npm flatmap-stream malware 2018-11-27 6f6b3 https://npm-stat.com/charts.html?package=flatmap-stream&from=2018-09-05&to=2018-11-27

Python Lib Malware 2017-09

apparently, this happened to python recently

firefox EoHpfeRNLg skZNF — python lib malware 2017-09 https://arstechnica.com/information-technology/2017/09/devs-unknowingly-use-malicious-modules-put-into-official-python-repository/

python lib malware 2017-09 https://www.bleepingcomputer.com/news/security/ten-malicious-libraries-found-on-pypi-python-package-index/