The event-stream npm package was found to contain a malicious child package, flatmap-stream, which had been downloaded nearly 8 million times since its inclusion in September 2018. The malicious code focused on stealing bitcoins from applications, redirecting any mined bitcoins to the attacker's wallet. The incident highlights the risks of using outdated and unmaintained packages, as well as the importance of regular security testing and monitoring. Snyk has added the vulnerability to its database and notified affected users, while npm has unpublished the malicious library. Developers are advised to check if they are using the malicious package and eliminate it from their applications, and consider running a one-off test for their repositories.