Thanks for the challenge
I used NIM and nodes js in order to speed up the obfuscated part.
Easy, I got - Hint (password is a npm package) and the function
At least I learnt a way to throw a structured exception
exploitedstream.js where password is the package
So, I was sure it was event-stream or the compromised module (flatmap-stream) but both don't work !
Is the password is 18 length and npm version must be included with @ ?
Or I am on the wrong path ?