November 28, 2018

Security notice for Apollo VS Code 11/28/18

James Baxley III

James Baxley III


  • A wide-spread, industry-wide security vulnerability impacted a dependency of a dependency of the Apollo VS Code plugin called event-stream.
  • The editor extension (along with 38 others) was removed from the VS Code Marketplace. These extensions were also uninstalled for users and flagged as “malicious” within VS Code.
  • We locked our extension to a safe version of the dependency and worked with the VS Code team to republish the Apollo package which is now safely back on the marketplace for download

Timeline of events

Monday November 26

On Monday morning news broke of a security vulnerability that impacted the JavaScript ecosystem at large. A popular dependency called event-stream was discovered to have been compromised. The package, when installed alongside a bitcoin wallet tool called copay or copay-dash, would attempt to siphon and steal bitcoins from users.

We determined that the vscode package that we use to build the Apollo VS Code editor extension was installing event-stream. We locked our versions down to a previous safe version and uploaded a release to the VS Code Marketplace.

Tuesday November 27

We received reports of the editor extension being removed from the marketplace and flagged as malicious. Our team reached out to the VS Code team to ask what was happening and why were flagged.

The prior night, the VS Code team removed 38 extensions that depended on the vscode or other related projects that brought the compromised package into builds. After receiving our message on Tuesday, they responded to our team letting us know they were reviewing our new build.

Wednesday November 28

The VS Code team let us know that our changes were sufficient and that the Apollo VS Code extension was published back onto the marketplace.

Next steps

Due to the way VS Code extensions are installed, there is only a small chance that the vulnerability would have had any impact, however it is worth checking your machine to make sure that version of the package doesn’t exist. Lauren Elizabeth Tan put together a great tweet thread of steps to take:

don't forget to also check your local machine (for the backdoor,, ICYMI) find / -type d -name "event-stream" -print 2>/dev/null

— Lauren Tan ✨😬✨ (@sugarpirate_) November 26, 2018

More specifically, search for `flatmap-stream`, as that is the malicious package: find / -type d -name "flatmap-stream" -print 2>/dev/null Thanks @OCombe for pointing this out

— Lauren Tan ✨😬✨ (@sugarpirate_) November 26, 2018

✨ And finally you should be using `npm ci` OR `yarn install –frozen-lockfile` to install your deps on your servers: npm: yarn:

— Lauren Tan ✨😬✨ (@sugarpirate_) November 26, 2018

Thanks for your continued support using the Apollo platform. We take your security seriously and will always responsibly disclose any security vulnerabilities in our tools. To report a security vulnerability, please contact

Written by

James Baxley III

James Baxley III

Read more by James Baxley III