Case Study: The event-stream Incident

before publishing.

In 2018, event-stream, a widely-used npm package with millions of weekly downloads, was weaponised in one of the clearest examples of maintainer takeover by social engineering.

What happened

Why it was hard to catch

What defenders learn

How Verifi analyses dependency behaviour →