Event-stream Node.js module called is used in millions of web applications, including BitPay’s open-source bitcoin wallet, Copay. This module was reportedly compromised thanks to the laziness, and incompetence of the engineer.
The researcher identified this malicious code last week, and have been able to understand what the heavily obfuscated malicious code actually does.
A user with very little coding activity on GitHub requested publishing rights to the event-stream library from its previous maintainer, Dominic Tarr, who said that he had not maintained the repository for quite some time and gave control to the new user, called right9ctrl.
The new maintainer right9ctrl, injected a malware that it would leak private keys from applications that relied on both the event-stream and copay-dash modules.
Ayrton Sparling, a computer science student at California State wrote:
“He added flatmap-stream which is entirely (1 commit to the repo but has 3 versions, the latest one removes the injection, unmaintained, created 3 months ago) an injection targeting ps-tree. After he adds it at almost the exact same time the injection is added to flatmap-stream, he bumps the version and publishes. Literally, the second commit (3 days later) after that he removes the injection and bumps a major version, so he can clear the repo of having flatmap-stream but still have everyone (millions of weekly installs) using 3.x affected.”
The new maintainer updated the module with malware and then patched the problem to avoid detection, but the numerous people who had already installed it remain affected.
Copay’s open-source code is used by many crypto applications, and it happens to be built and maintained by Bitcoin payment processing company BitPay, which itself is in a dilemma.
Once the malicious code has been compiled and shipped inside poisoned versions of the Copay wallet app, it will steal users’ wallet information, including private keys, and send it to the copayapi.host URL on port 8080.
The hacker used this information to empty victims’ wallets. Looks like all versions of the Copay wallet released in September, October, and November is infected.
Earlier today, the BitPay team released Copay v5.2.2 to remove the Event-Stream and Flatmap-Stream dependencies.
This manual update step is necessary as some projects are configured to cache all dependencies locally. When attempting to download a non-existent npm package from npm.org., it might not trigger the usual console error.