The event-stream library has been compromised by a malicious author [0]. The attack is targeting a specific Bitcoin/Bitcoin Cash wallet software [1]. I have been able to reproduce and verify the technical analyses [2][3][4] about the compromise and its impacts. The malicious code tries to find wallets with a balance over 100BTC/1000BCH and send them to a server that is probably under the control of the malicious author.
Tuleap builds (CE or EE) or software maintained by the Tuleap integrators are not affected at this time.
The proxy of the npmjs registry maintained by Enalean for the builds of Tuleap confirms the malicious package has never been used and the version of event-stream currently used is a version stored in the proxy registry on November 1 2016 (so prior to the compromise). As of now, the npmjs support team seems to have take down the malicious package from the npmjs registry.
The original author seems to have lost his publish rights on the module on the npmjs registry [5] meaning that new releases of the event-stream package might also get compromised until further notice.
Tuleap only needs this dep for one of its direct dev dependencies : gulp-scss-lint. We can probably work without it, and as a short term mitigation the last known safe version (3.3.4) of event-stream should be hardcoded in the package.json to ensure the package is not inadvertently upgraded.
[0]
https://github.com/dominictarr/event-stream/issues/116
[1]
https://www.npmjs.com/package/copay-dash
[2]
https://github.com/dominictarr/event-stream/issues/116#issuecomment-441744514
[3]
https://github.com/dominictarr/event-stream/issues/116#issuecomment-441745006
[4]
https://github.com/dominictarr/event-stream/issues/116#issuecomment-441746370
[5]
https://github.com/dominictarr/event-stream/issues/116#issuecomment-440927579