A JavaScript backdoor that affects millions

Software might be eating the world, but JavaScript is eating software whole. With the prevalence of package managers like npm and yarn, which make it easier to for web developers to quickly use libraries to solve coding problems, it's become much easier to blindly install code without really investigating what's inside. Overnight, the JavaScript community panicked as it became clear that a relatively banal package with more than two million downloads per week had been quietly compromised. Developers were using the EventStream library to help with input and output in their applications, with thousands of new downloads daily, but the maintainer had quietly transferred ownership to an unknown third-party: According to the Github discussion that exposed the backdoor, the longtime event-stream developer no longer had time to provide updates. So several months ago, he accepted the help of an unknown developer. The new developer took care to keep the backdoor from being –Widely used open source software contained bitcoin-stealing backdoor ↗