Hacker Compromised JavaScript Library to Steal Bitcoin funds

Hacker Compromised JavaScript Library to Steal Bitcoin funds

Event-stream Node.js module called is used in millions of web applications, including BitPay’s open-source bitcoin wallet, Copay. This module was reportedly compromised thanks to the laziness, and incompetence of the engineer.

A hacker gained access to a popular JavaScript library and injected malicious code that steals Bitcoin and Bitcoin Cash funds stored in BitPay’s Copay wallet apps.

The researcher identified this malicious code last week, and have been able to understand what the heavily obfuscated malicious code actually does.

The library loading the malicious code is named Event-Stream, a JavaScript npm package for working with Node.js streaming data.

A user with very little coding activity on GitHub requested publishing rights to the event-stream library from its previous maintainer, Dominic Tarr, who said that he had not maintained the repository for quite some time and gave control to the new user, called right9ctrl.

The new maintainer right9ctrl, injected a malware that it would leak private keys from applications that relied on both the event-stream and copay-dash modules.

Ayrton Sparling, a computer science student at California State wrote:

“He added flatmap-stream which is entirely (1 commit to the repo but has 3 versions, the latest one removes the injection, unmaintained, created 3 months ago) an injection targeting ps-tree. After he adds it at almost the exact same time the injection is added to flatmap-stream, he bumps the version and publishes. Literally, the second commit (3 days later) after that he removes the injection and bumps a major version, so he can clear the repo of having flatmap-stream but still have everyone (millions of weekly installs) using 3.x affected.”

The new maintainer updated the module with malware and then patched the problem to avoid detection, but the numerous people who had already installed it remain affected.

Copay’s open-source code is used by many crypto applications, and it happens to be built and maintained by Bitcoin payment processing company BitPay, which itself is in a dilemma.

Once the malicious code has been compiled and shipped inside poisoned versions of the Copay wallet app, it will steal users’ wallet information, including private keys, and send it to the copayapi.host URL on port 8080.

The hacker used this information to empty victims’ wallets. Looks like all versions of the Copay wallet released in September, October, and November is infected.

Earlier today, the BitPay team released Copay v5.2.2 to remove the Event-Stream and Flatmap-Stream dependencies.

Project maintainers who use the infected libraries are advised to update their dependency trees to the latest version –Event-Stream version 4.0.1. This link contains a list of all the 3,900+ JavaScript npm packages where Event-Stream is loaded as a direct or indirect dependency.

This manual update step is necessary as some projects are configured to cache all dependencies locally.  When attempting to download a non-existent npm package from npm.org., it might not trigger the usual console error.


    Leave a Comment


    Welcome! Login in to your account

    Remember me Lost your password?

    Don't have account. Register

    Lost Password