![share-with-dlike.jpg](https://images.hive.blog/768x0/https://dlike.io/upload/EOS_hack_cryptocurrency_exchange_theft_760x400-1543292932.jpg)
Ayrton Sparling wrote:
“He added flatmap-stream which is entirely (1 commit to the repo but has 3 versions, the latest one removes the injection, unmaintained, created 3 months ago) an injection targeting ps-tree. After he adds it at almost the exact same time the injection is added to flatmap-stream, he bumps the version and publishes. Literally the second commit (3 days later) after that he removes the injection and bumps a major version so he can clear the repo of having flatmap-stream but still have everyone (millions of weekly installs) using 3.x affected.”
Source of shared Link
![](https://images.hive.blog/768x0/https://dlike.io/special/dlike-android2.png)
This Lock is the hole