EventStream is a very popular library with almost 2 million downloads per week. Even so, the original owner, Dominic Tarr, has not maintained it since 2012. So, in September 2018, Tarr transferred project ownership to a volunteer to maintain it.
The new owner, a user called Right9ctrl, turned out to be a bad actor. Soon after taking ownership of EventStream, Right9ctrl added a dependency to flatmap-stream. Until then, flatmap-stream was a little-known library that had no downloads on NPM. Right after that, someone (it’s not clear who) made a change to flatmap-stream that included the malicious code. Now the EventStream library was pulling in a malicious dependency.
Three days later, Right9ctrl removed the dependency on flatmap-stream from the EventStream library (perhaps to hide his or her tracks). However, people who included the EventStream package in their projects during those three days pulled in the malicious code. And if they haven’t updated their projects since then, it may still be there.