WARNING: Ngx-charts dependencies include event-stream which has been compromised

[finebalancetech]

While compiling ngx-charts I discovered it was trying to install flatmap-stream 0.1.1, which is a malicious dependency introduced by a compromised event-stream package.

Please read: https://github.com/dominictarr/event-stream/issues/116

All ngx-charts devs, check if you are affected:

npm ls event-stream flatmap-stream

If you see flatmap-stream 0.1.1 as a dependency, your build is likely compromised.

I recommend clearing your npm cache:

npm cache clean --force

And reinstalling dependencies: npm i

NPM is aware of the issue and have removed the malicious package, so subsequent installs depending on that package will fail, like this:

npm ERR! code E404 npm ERR! 404 Not Found: flatmap-stream@https://registry.npmjs.org/flatmap-stream/-/flatmap-stream-0.1.1.tgz

[finebalancetech]

Also: https://www.zdnet.com/article/hacker-backdoors-popular-javascript-library-to-steal-bitcoin-funds/

[marjan-georgiev]

I pushed a commit to the master branch a couple of hours ago that addresses this. Could you check if you're on latest please?

[finebalancetech]

Hi Marjan... I'm using a fork which has not yet updated: https://github.com/swimlane/ngx-charts/pull/555

Trying to get custom data into the tooltip is not possible with the current master... :/

[marjan-georgiev]

Yup, make sure you merge the upstream master branch into the fork if you're using one. Otherwise, deleting package-lock.json and reinstalling the packages should get rid of the malicious package.

Closing this one.