A module called event-stream, used in millions of web applications but notably in BitPay’s open-source Bitcoin wallet Copay has reportedly been compromised, potentially leaving some other wallets vulnerable as well.
BitPay published an advisory saying Copay versions 5.0.2 through 5.1.0 were affected by the malicious code and that users with these versions installed should avoid running or opening the app until they install Copay version 5.2.0.
“Our team is continuing to investigate this issue and the extent of the vulnerability,” the official announcement reads. “Currently, we have only confirmed that the malicious code was deployed on versions 5.0.2 through 5.1.0 of our Copay and BitPay apps. However, the BitPay app was not vulnerable to the malicious code. We are still investigating whether this code vulnerability was ever exploited against Copay users.”
Copay, the affected wallet, has more than 100,000 downloads of Android, while the number of users from other platforms like iOS or Windows is unknown.
Any other wallets using this module might be affected as well, although as of the time of writing, none of them have come forward.
The problem stems from a GitHub user volunteering to take over the library in question, inject malware and patch it up to avoid detection.
The user, known only as “right9ctrl,” took over maintenance of the module from its original creator, developer Dominic Tarr, who said that he had not maintained the repository in years. In short, the developer updated the module with malware and then hid it from view, but the numerous people who had already installed it remain affected. Well known developer Jameson Lopp explained:
The npm “event-stream” repository has been compromised; if you are using it in a project along with “copay-dash” then the malware will steal any private keys it can find. https://t.co/fAnH6ik1n9
— Jameson Lopp (@lopp) November 26, 2018
Jackson Palmer, an Australian entrepreneur and technologist best known for creating the infamously successful “joke” cryptocurrency Dogecoin, added:
— Jackson Palmer (@ummjackson) November 26, 2018
Event-stream is downloaded roughly two million times a week by application programmers for many different uses. The version with the malware in it, Event-Stream v 3.3.6, was published on September 9 via Node Package Manager (NPM) repository, and had since been downloaded by nearly 8 million application programmers.
The malicious code supposedly attempted to steal digital coins stored in the Dash Copay Bitcoin wallets – distributed through the NPM – and transfer them to a server located in Kuala Lumpur. Officials from NPM removed the backdoor from NPM’s listing on Monday this week.