A popular open source JavaScript library used by thousands of apps including major crypto wallets like Bitpay and CoPay was infected by its administrator to steal cryptocurrencies from the wallets. Bitpay confirmed that the library included some malicious code, named as Event-Stream into a Node-Js package that allowed the hacker to steal a wallet private key. Therefore, BitPay warned its users to consider their private keys to be compromised and thus move their currencies to a new wallet.
The malicious code was deployed in v5.0.2 through 5.1.0 of CoPay and BitPay apps. But the strenghted security in the apps decreased the wallets vulnerability. However, the organizations are still exploring if the code was used to exploit any consumers.
BitPay confirmed in a recent statement that the consumers should not move their respective funs until the wallets have been updated to v5.2.0. Then the users can move their funds to the wallet that now uses the Send Max feature implementation that allows additional security of the funds.
The library’s original administrator transferred the ownership to someone with the handle right9ctrl. The new maintainer released a new version of the library that included the malware. Github members on the forum targeted DominicTarr, the original maintainer of supposedly being responsible for the activity. But he maintained the fact that he had to transfer ownership of the library as he was not able to maintain it himself.
It goes to show that right9ctrl was able to pull this off by contributing to the project and becoming a trusted member of the group. Then he deployed the malicious code into the library that was already being used in thousands of apps deployed across geographies. This only goes to show that even if one developer in the team writes secure code doesn’t mean that all the other developers contributing to the codebase do.
Source – SCMag