This analysis applies behavioral trust scoring retrospectively to the 2018 event-stream supply chain attack. The package scored 66 with risk flags, but the critical signal was flatmap-stream — a new dependency with a trust score of 13.
The Timeline
event-stream was a popular Node.js utility created by Dominic Tarr in 2011. By 2018 it had ~2 million weekly downloads and was a transitive dependency across thousands of projects. Tarr was the sole maintainer and had publicly lost interest.
In September 2018, GitHub user right9ctrl offered to take over. Tarr transferred npm publish access. In early October, the new maintainer published event-stream 3.3.6, adding a single new dependency: flatmap-stream. This package contained an encrypted payload targeting Copay (a Bitcoin wallet) to steal cryptocurrency.
The attack went undetected for nearly two months. No automated tool caught it — not npm audit, static analysis, or GitHub review.
Trust Score Timeline
| Date | Event | event-stream | flatmap-stream | Risk Flags |
|---|---|---|---|---|
| Aug 2018 | Stable state | 66 | — | HIGH · WARN |
| Sep 2018 | Tarr transfers publish access | 66 | — | HIGH · WARN |
| Oct 5, 2018 | flatmap-stream added as dependency | 73 ↑ | 13 | New dep: MINIMAL |
| Nov 26, 2018 | Attack discovered | 73 | 13 | (too late) |
Key Observations
event-stream's score increased from 66 to 73 after the malicious version. The new release triggered a recency bonus. The package appeared healthier after the attack — a real limitation of point-in-time scoring.
flatmap-stream scored 13/100 (MINIMAL tier). Every dimension scored near zero except the recency bonus for recent publication.
Dimension-by-Dimension: event-stream (Pre-Attack)
| Dimension | Max | Score | Reasoning |
|---|---|---|---|
| Longevity | 25 | 25 | Created 2011; 7 years old |
| Download Momentum | 25 | 22 | ~2M/week |
| Release Consistency | 20 | 12 | ~50 versions; last publish >365 days |
| Maintainer Depth | 15 | 4 | 1 maintainer |
| GitHub Backing | 15 | 3 | ~1.7K stars; >730 days without push |
| Total | 100 | 66 |
Risk Flags:
- 🟠 HIGH — Single maintainer AND >1M weekly downloads
- ⚠️ WARN — No publish in >365 days
These flags described the exact conditions enabling the attack: an abandoned package with massive install base, controlled by a single credential.
Dimension-by-Dimension: flatmap-stream
| Dimension | Max | Score | Reasoning |
|---|---|---|---|
| Longevity | 25 | 1 | Brand new; <6 months |
| Download Momentum | 25 | 0 | Zero organic downloads |
| Release Consistency | 20 | 8 | 1 version; recently published |
| Maintainer Depth | 15 | 4 | 1 maintainer; unknown account |
| GitHub Backing | 15 | 0 | Zero stars, forks, watchers |
| Total | 100 | 13 | MINIMAL trust tier |
The Critical Signal
The question isn't merely "what does event-stream score?" but "what changed in my dependency tree, and what does the new entry score?"
flatmap-stream score=13 1 maintainer 0 downloads/week 🔴 MINIMAL
└ new transitive dependency via event-stream@3.3.6
A package scoring 13 suddenly appearing in your dependency tree is a significant structural signal. Five minutes of analysis would have revealed that flatmap-stream was created by the new maintainer, had no independent purpose, and contained unusual code patterns.
The Pattern Since 2018
Every major npm supply chain attack has exploited the same structural condition:
| Incident | Vector | Maintainers | Downloads/wk | Flag |
|---|---|---|---|---|
| event-stream (2018) | Social engineering | 1 | 2M | HIGH |
| ua-parser-js (2021) | Token compromise | 1 | 7M | HIGH |
| LiteLLM (2026) | Token compromise | 1 | 95M/mo | CRITICAL |
| axios (2026) | Token compromise | 1 | 101M | CRITICAL |
The structural condition was visible before every attack.
Usage
npx proof-of-commitment event-stream
npx proof-of-commitment --file package.json
Web interface: getcommit.dev/audit
The question isn't whether event-stream was predictable in hindsight. The question is whether the same structural conditions exist in your dependency tree right now. For 30% of the top 50 npm packages, they do.
Related: The Axios Signal · Three npm Disasters That Were Predictable
Top comments (0)