A hacker with access to a popular open-source Javascript Library has sneaked malicious code that steals Bitcoin and Bitcoin Cash Funds stored in BitPay Copay wallets. According to ZDNet’s article published on November 26, 2018, the Copay team mentioned that all version between 5.0.2 and 5.1.0. were infected and all users are advised to update to newer versions 5.2.0 and later, which no longer contain the dangerous code.
Code Designed to Steal Users’ Wallet Information
The incident occurred approximately three months ago. The original author due to limited time and interest outsourced the development responsibilities to another programmer called Right9ctrl.
According to Arstechnica, Right9ctrl inserted the malicious code in two different stages into event-stream, an extremely well-known code library that contains a Javascript npm package, which is used by a wide range of companies from large corporates to emerging startups. In the first stage, the hacker published version three on September 8 which contained a module called flatmap-steam.
Flatmap-steam initially did not have any dangerous code. However, during stage two on October 5, the hacker updated flatmap-steam to include the malicious code. The malicious code is designed to steal users’ wallet information such as their private keys and send the data to a server located in Kuala Lumpur.
Github user Ayrton Sparling discovered the bad code last Tuesday and released a report on Github. The officials with the NPM, the open source project manager responsible for hosting event-stream, however, failed to issue notice and an advisory until Monday the following week, six days from the date of discovery.
Malicious Code Targets BitPay’s Copay Wallet Users
The NPM officials mentioned that the malicious code was inserted to target people who use a BItcoin wallet created by Copay. A Copay official said in a Github discussion that the code was not implemented and deployed on any platforms.
After the post, Copay officials, however, updated their comment and mentioned that there were platforms that did contain the dangerous code. In response to the situation, Copay has released a blog post updating wallet users which versions were affected and warned users that they should avoid using the application until they have installed the latest version 5.2.0 that is free from the malicious code.
“This compromise…targeted a select few developers at a company, Copay, that had a very specific development environment setup,” said an NPM Official to Ars Technica. “Even then, the payload itself didn’t run on those develops’ computers; rather, it would be packaged into a consumer-facing app when the developers build a release,” NPM noted that the overall goal of the hacker was to steal cryptocurrencies from Copay’s end users since the malicious code was not designed to attack any developers.