I just got a GitHub mail about it. event-stream@3.3.6 have been compromised by a malicious actor who introduced the malware by adding a new dependency flatmap-stream@0.1.1. It is not clear yet (at least to me) what the malicious code does, but it is known that it targets cryptocurrency related activity.
To see if you have it in your projects dependency tree:
$ npm ls event-stream flatmap-stream
...
flatmap-stream@0.1.1
...
If flatmap doesn't show, then you're safe. Else, you need to update your dependency and your software as soon as possible.
No cosmic-plus software or package have been compromised.
Related GitHub issue: https://github.com/dominictarr/event-stream/issues/116
