In September 2018, an unknown attacker using the account ‘right9ctrl’ approached the original maintainer of the popular Node.js npm package ’event-stream’ (dominictarr) and requested to take over maintenance, claiming to want to help maintain the package. The original maintainer agreed, as event-stream had millions of weekly downloads but was no longer actively maintained by him. The attacker then published version 3.3.6 of event-stream, which added a new dependency: the malicious package ‘flatmap-stream’. The malicious code was heavily obfuscated and contained AES-encrypted payloads that only decrypted and activated in the context of the Copay bitcoin wallet application (by BitPay). The payload targeted Copay wallets with balances over 100 BTC, attempting to exfiltrate the wallet’s private keys and transaction data to a server in Malaysia (copayapi.host). The malicious code went undetected for approximately 11 weeks — from 9 September to 20 November 2018 — when it was discovered by a developer named Ayrton Sparling (FallingSnow) who posted the finding on GitHub. At the time of discovery, event-stream had approximately 2 million weekly npm downloads. BitPay/Copay issued emergency updates. The attack is a landmark case in npm supply chain security: it demonstrated how an attacker could exploit the trust model of open-source package maintenance by social engineering a package handover. No confirmed successful thefts were reported, but the potential exposure was significant given Copay’s user base. The incident spurred npm to implement new security controls around package ownership transfers.