November 28, 2018

Security notice for Apollo VS Code 11/28/18

James Baxley III
Director of Engineering
Last updated March 18, 2020


  • A wide-spread, industry-wide security vulnerability impacted a dependency of a dependency of the Apollo VS Code plugin called event-stream.
  • The editor extension (along with 38 others) was removed from the VS Code Marketplace. These extensions were also uninstalled for users and flagged as “malicious” within VS Code.
  • We locked our extension to a safe version of the dependency and worked with the VS Code team to republish the Apollo package which is now safely back on the marketplace for download

Timeline of events

Monday November 26

On Monday morning news broke of a security vulnerability that impacted the JavaScript ecosystem at large. A popular dependency called event-stream was discovered to have been compromised. The package, when installed alongside a bitcoin wallet tool called copay or copay-dash, would attempt to siphon and steal bitcoins from users.

We determined that the vscode package that we use to build the Apollo VS Code editor extension was installing event-stream. We locked our versions down to a previous safe version and uploaded a release to the VS Code Marketplace.

Tuesday November 27

We received reports of the editor extension being removed from the marketplace and flagged as malicious. Our team reached out to the VS Code team to ask what was happening and why were flagged.

The prior night, the VS Code team removed 38 extensions that depended on the vscode or other related projects that brought the compromised package into builds. After receiving our message on Tuesday, they responded to our team letting us know they were reviewing our new build.

Wednesday November 28

The VS Code team let us know that our changes were sufficient and that the Apollo VS Code extension was published back onto the marketplace.

Next steps

Due to the way VS Code extensions are installed, there is only a small chance that the vulnerability would have had any impact, however it is worth checking your machine to make sure that version of the package doesn’t exist. Lauren Elizabeth Tan put together a great tweet thread of steps to take:

don't forget to also check your local machine (for the backdoor,, ICYMI) find / -type d -name "event-stream" -print 2>/dev/null

— Lauren Tan ✨😬✨ (@sugarpirate_) November 26, 2018

More specifically, search for `flatmap-stream`, as that is the malicious package: find / -type d -name "flatmap-stream" -print 2>/dev/null Thanks @OCombe for pointing this out

— Lauren Tan ✨😬✨ (@sugarpirate_) November 26, 2018

✨ And finally you should be using `npm ci` OR `yarn install –frozen-lockfile` to install your deps on your servers: npm: yarn:

— Lauren Tan ✨😬✨ (@sugarpirate_) November 26, 2018

Thanks for your continued support using the Apollo platform. We take your security seriously and will always responsibly disclose any security vulnerabilities in our tools. To report a security vulnerability, please contact

Written by

James Baxley III


Normally found on his farm working his bee hives or tending his flock of sheep, James is a believer in cultivating happy and healthly communities. He is a lover of design systems, roses, and fixing old land rovers.

Read more by James Baxley III

Stay in our orbit!

Become an Apollo insider and get first access to new features, best practices, and community events. Oh, and no junk mail. Ever.

Make this article better!

Was this post helpful? Have suggestions? Consider so we can improve it for future readers ✨.

Similar posts

September 7, 2023

Office Hours: Apollo Server with Trevor Scheer

by Dylan Anthony