This analysis applies behavioral trust scoring retrospectively to the 2018 event-stream supply chain attack. The package scored 66 with risk flags, but the critical signal was flatmap-stream — a new dependency with a trust score of 13. The Timeline event-stream was a popular Node.js utility created by Dominic Tarr in 2011. By 2018 it had ~2 million weekly downloads and was a transitive dependency across thousands of projects. Tarr was the sole maintainer and had publicly lost interest. In September 2018, GitHub user right9ctrl offered to take over. Tarr transferred npm publish access. In early October, the new maintainer published event-stream 3.3.6, adding a single new dependency: flatmap-stream . This package contained an encrypted payload targeting Copay (a Bitcoin wallet) to steal cryptocurrency. The attack went undetected for nearly two months. No automated tool caught it — not npm audit, static analysis, or GitHub review.…