I just got a GitHub mail about it. email@example.com have been compromised by a malicious actor who introduced the malware by adding a new dependency firstname.lastname@example.org. It is not clear yet (at least to me) what the malicious code does, but it is known that it targets cryptocurrency related activity.
To see if you have it in your projects dependency tree:
$ npm ls event-stream flatmap-stream
If flatmap doesn't show, then you're safe. Else, you need to update your dependency and your software as soon as possible.
No cosmic-plus software or package have been compromised.
Related GitHub issue: https://github.com/dominictarr/event-stream/issues/116