The ownership of the npm package event-stream changed hands late 2018 and found its way into the hands of an attacker targeting a specific mobile application. How did an attacker go from an npm package to a mobile application? How was this exploit found? What purpose did each of the three payloads have? This session will dive into the three payloads of the attack, how they worked, how they were obfuscated, and what their goal ultimately was. There's no reason to assume this is an isolated event and understanding how this occurred and what it did is an important part of staying secure going forward.