As Tarr found the project no longer fun to work on - he did it for free and had no use for the module anymore, he handed off maintainer rights.
Soon after, however, code was added to event-stream which injected obfuscated malware.
Although at first it wasn't clear what the added malicious code did, users chipped in and worked out that it steals Bitcoin wallets from users of the Copay and Bitpay software libraries.
The incident has again highlighted the dangers of supply chain attacks, where malware could be injected into a trusted piece of code such as an open source software library relied on by large numbers of developers and projects.
Rendition Infosec president and founder Jake Williams said the incident "embodies everything wrong with open source software security today."
"Guy builds npm module, then transfers control of the module to another user (who he does not know). This is then used to deploy malware," Williams tweeted.
"Don't blame the original dev (as some have been doing). They built a package for which they receive no compensation. Someone asked to help maintain a stale project and they said 'sure'. Creating open source software shouldn't be a lifelong commitment."
Tarr similarly told iTnews that the model was broken.
"When millions of people depend on something that the original author has very little motivation to maintain, that's insane," Tarr said.
"Once something gets popular, you only hear from people who are having a problem with it.
"If you break anything - easy to do - you'll have many people suddenly upset at you. It's a lot of responsibility and potential downside, but no upside to speak of."
Tarr suggested that maintainers get paid and that those who depend on modules take part in the process, so that the responsibility for published code scales according to usage and need.
The malicious version of the code has been removed by npm.