npm ERR! 404 Not Found: [email protected]

I am trying to deploy my project and I'm suddenly getting this error.

> npm ERR! 404 Not Found: [email protected]

>tldr; > >Holy cow! It turns out that the event-stream package had a vulnerability that allowed a hacker to steal bitcoin.

To fix it you need to update your event-stream package.

1. Delete the node_modules folder.
2. Delete the package-lock.json file.
3. Run npm install.

This should update your packages to a safe version and you should be good to go.

And here is the official response from the NPM blog:

> Details about the event-stream incident This is an analysis of the > event-stream incident of which many of you became aware earlier this > week. npm acts immediately to address operational concerns and issues > that affect the safety of our community, but we typically perform more > thorough analysis before discussing incidents—we know you’ve been > waiting. > > On the morning of November 26th, npm’s security team was notified of a > malicious package that had made its way into event-stream, a popular > npm package. After triaging the malware, npm Security responded by > removing flatmap-stream and [email protected] from the Registry and > taking ownership of the event-stream package to prevent further abuse. > > The malicious package was version 0.1.1 of flatmap-stream. This > package was added as a direct dependency of the event-stream package > by a new maintainer on September 9, 2018, in version 3.3.6. The > event-stream package is widely used, but the malicious code targeted > developers at a company that had a very specific development > environment setup: running the payload in any other environment has no > effect. This specific targeting means that, ultimately, most > developers would not be affected even if they had mistakenly installed > the malicious module. > > The injected code targets the Copay application. When a developer at > Copay runs one of their release build scripts, the resulting code is > modified before being bundled into the application. The code was > designed to harvest account details and private keys from accounts > having a balance of more than 100 Bitcoin or 1000 Bitcoin Cash. > > Copay’s initial response was that that no builds containing this > malicious code were released to the public, but we now have > confirmation from Copay that “the malicious code was deployed on > versions 5.0.2 through 5.1.0.” > > The attack This attack started out as a social engineering attack. The > attacker, posing as a maintainer, took over maintainership of the > event-stream module. > > The technical details Here are some technical details that we know > about, for those of you interested in this. > > The injected code: > > Read in AES encrypted data from a file disguised as a test fixture > Grabbed the npm package description of the module that imported it, > using an automatically set environment variable Used the package > description as a key to decrypt a chunk of data pulled in from the > disguised file The decrypted data was part of a module, which was then > compiled in memory and executed. > > This module performed the following actions: > > Decrypted another chunk of data from the disguised file Concatenated a > small, commented prefix from the first decrypted chunk to the end of > the second decrypted chunk Performed minor decoding tasks to transform > the concatenated block of code from invalid JS to valid JS (we believe > this was done to evade detection by dynamic analysis tools) Wrote this > processed block of JS out to a file stored in a dependency that would > be packaged by the build scripts: The chunk of code that was written > out was the actual malicious code, intended to be run on devices owned > by the end users of Copay. > > This code would do the following: > > Detect the current environment: Mobile/Cordova/Electron Check the > Bitcoin and Bitcoin Cash balances on the victim’s copay account If the > current balance was greater than 100 Bitcoin, or 1000 Bitcoin Cash: > Harvest the victim’s account data in full Harvest the victim’s copay > private keys Send the victim’s account data/private keys off to a > collection service running on 111.90.151.134. For users of the Copay > app, bitpay recommends, “If you are using any version from 5.0.2 to > 5.1.0, you should not run or open the Copay app.” > > For npm users, you can check if your project contains the vulnerable > dependency by running npm audit. If you have installed the impacted > version of this event-stream, we recommend that you update to a later > version as soon as possible.

Actually we don't need to update all the packages that depends on [email protected].

You can open the package-lock.json, remove all the event-stream references and call npm install again. It will be faster.

After that, npm shrinkwrap && mv npm-shrinwrap.json package-lock.json should update just the event-stream references and not the whole file

Follow below methods :

1. Delete node_modules and package_lock.json files

2. Run npm list event-stream

3. Run npm audit

4. Run npm cache verify

5. Run npm install

6. Run git add . (add required files)

7. Run git commit (commit your changes)

8. Run git push (Push your code)

As mentioned in the comments, the underlying issue was the package-lock.json (the lockfile) contained a deprecated package. Deleting the lockfile and re-installing the dependencies resolved the issue.

The fastest way to do this is these 2 steps:

• delete the package-lock.json file
• type npm i (or npm install) to re-install dependencies

I solve this problem by the following steps:

1. open your latest log for this error in /node_cache/_logs/xxxx-xx-xxx-debug.log

2. find out the root of event-stream leaf, for example:

   
   
   
   45 silly saveTree +-- nodemon@1.18.4
   45 silly saveTree | +-- chokidar@2.0.4
   45 silly saveTree | +-- pstree.remy@1.1.0
   45 silly saveTree | | -- ps-tree@1.2.0  45 silly saveTree | |   -- event-stream@3.3.6
   45 silly saveTree | |     +-- duplexer@0.1.1
   45 silly saveTree | |     +-- from@0.1.7
   45 silly saveTree | |     +-- pause-stream@0.0.11
   45 silly saveTree | |     `-- split@0.3.3
   
   
   

3. in this case, the root is nodemon, so you can fix by: npm install [email protected]

4. npm install successfully now

I've updated npm-run-all from 4.1.3 to 4.1.5 in package.json (remove in the lock file event stream) Then npm install.