Recently, a popular npm package called event-stream was compromised to include a bitcoin stealing feature that targeted a bitcoin wallet platform. This occurred when the owner and maintainer of event-stream gave an unknown entity rights to the repository. This unknown entity then added a dependency to event-stream, another npm package called flatmap-stream, which included the actual malicious code. When asked why someone was given access to the repository, this was the response.
https://web.archive.org/web/20181201144014/https://www.npmjs.com/package/event-stream
