npm ERR! 404 Not Found: [email protected]
node.jsNpmnode.js Problem Overview
I am trying to deploy my project and I'm suddenly getting this error.
> npm ERR! 404 Not Found: [email protected]
node.js Solutions
Solution 1 - node.js
>tldr; > >Holy cow! It turns out that the event-stream package had a vulnerability that allowed a hacker to steal bitcoin.
To fix it you need to update your event-stream
package.
- Delete the
node_modules
folder. - Delete the
package-lock.json
file. - Run
npm install
.
This should update your packages to a safe version and you should be good to go.
And here is the official response from the NPM blog:
> Details about the event-stream incident This is an analysis of the > event-stream incident of which many of you became aware earlier this > week. npm acts immediately to address operational concerns and issues > that affect the safety of our community, but we typically perform more > thorough analysis before discussing incidents—we know you’ve been > waiting. > > On the morning of November 26th, npm’s security team was notified of a > malicious package that had made its way into event-stream, a popular > npm package. After triaging the malware, npm Security responded by > removing flatmap-stream and [email protected] from the Registry and > taking ownership of the event-stream package to prevent further abuse. > > The malicious package was version 0.1.1 of flatmap-stream. This > package was added as a direct dependency of the event-stream package > by a new maintainer on September 9, 2018, in version 3.3.6. The > event-stream package is widely used, but the malicious code targeted > developers at a company that had a very specific development > environment setup: running the payload in any other environment has no > effect. This specific targeting means that, ultimately, most > developers would not be affected even if they had mistakenly installed > the malicious module. > > The injected code targets the Copay application. When a developer at > Copay runs one of their release build scripts, the resulting code is > modified before being bundled into the application. The code was > designed to harvest account details and private keys from accounts > having a balance of more than 100 Bitcoin or 1000 Bitcoin Cash. > > Copay’s initial response was that that no builds containing this > malicious code were released to the public, but we now have > confirmation from Copay that “the malicious code was deployed on > versions 5.0.2 through 5.1.0.” > > The attack This attack started out as a social engineering attack. The > attacker, posing as a maintainer, took over maintainership of the > event-stream module. > > The technical details Here are some technical details that we know > about, for those of you interested in this. > > The injected code: > > Read in AES encrypted data from a file disguised as a test fixture > Grabbed the npm package description of the module that imported it, > using an automatically set environment variable Used the package > description as a key to decrypt a chunk of data pulled in from the > disguised file The decrypted data was part of a module, which was then > compiled in memory and executed. > > This module performed the following actions: > > Decrypted another chunk of data from the disguised file Concatenated a > small, commented prefix from the first decrypted chunk to the end of > the second decrypted chunk Performed minor decoding tasks to transform > the concatenated block of code from invalid JS to valid JS (we believe > this was done to evade detection by dynamic analysis tools) Wrote this > processed block of JS out to a file stored in a dependency that would > be packaged by the build scripts: The chunk of code that was written > out was the actual malicious code, intended to be run on devices owned > by the end users of Copay. > > This code would do the following: > > Detect the current environment: Mobile/Cordova/Electron Check the > Bitcoin and Bitcoin Cash balances on the victim’s copay account If the > current balance was greater than 100 Bitcoin, or 1000 Bitcoin Cash: > Harvest the victim’s account data in full Harvest the victim’s copay > private keys Send the victim’s account data/private keys off to a > collection service running on 111.90.151.134. For users of the Copay > app, bitpay recommends, “If you are using any version from 5.0.2 to > 5.1.0, you should not run or open the Copay app.” > > For npm users, you can check if your project contains the vulnerable > dependency by running npm audit. If you have installed the impacted > version of this event-stream, we recommend that you update to a later > version as soon as possible.
Solution 2 - node.js
Actually we don't need to update all the packages that depends on [email protected].
You can open the package-lock.json
, remove all the event-stream references and call npm install
again. It will be faster.
After that, npm shrinkwrap && mv npm-shrinwrap.json package-lock.json
should update just the event-stream references and not the whole file
Solution 3 - node.js
Follow below methods :
-
Delete node_modules and package_lock.json files
-
Run npm list event-stream
-
Run npm audit
-
Run npm cache verify
-
Run npm install
-
Run git add . (add required files)
-
Run git commit (commit your changes)
-
Run git push (Push your code)
Solution 4 - node.js
As mentioned in the comments, the underlying issue was the package-lock.json
(the lockfile) contained a deprecated package. Deleting the lockfile and re-installing the dependencies resolved the issue.
The fastest way to do this is these 2 steps:
- delete the
package-lock.json
file - type
npm i
(ornpm install
) to re-install dependencies
Solution 5 - node.js
I solve this problem by the following steps:
-
open your latest log for this error in /node_cache/_logs/xxxx-xx-xxx-debug.log
-
find out the root of
event-stream
leaf, for example:45 silly saveTree +-- nodemon@1.18.4 45 silly saveTree | +-- chokidar@2.0.4 45 silly saveTree | +-- pstree.remy@1.1.0 45 silly saveTree | | -- ps-tree@1.2.0 45 silly saveTree | | -- event-stream@3.3.6 45 silly saveTree | | +-- duplexer@0.1.1 45 silly saveTree | | +-- from@0.1.7 45 silly saveTree | | +-- pause-stream@0.0.11 45 silly saveTree | | `-- split@0.3.3
3. in this case, the root is nodemon, so you can fix by: npm install [email protected]
- npm install successfully now
Solution 6 - node.js
I've updated npm-run-all from 4.1.3 to 4.1.5 in package.json (remove in the lock file event stream) Then npm install.