A Node.js module called event-stream is used in millions of web applications, including BitPay’s open-source bitcoin wallet — Copay — and this module was reportedly compromised.
A user with very little coding activity on GitHub requested publishing rights to the event-stream library from its previous maintainer, Dominic Tarr, who said that he had not maintained the repository in years and gave control to the new user, called right9ctrl.
The library event-stream is used in many Node.js applications. According to a complainant on GitHub, the new maintainer right9ctrl either pulled a sneaky move to inject malware or unknowingly had the same effect as if he had, that effect being that it would leak private keys from applications that relied on both the event-stream and copay-dash modules.
“He added flatmap-stream which is entirely (1 commit to the repo but has 3 versions, the latest one removes the injection, unmaintained, created 3 months ago) an injection targeting ps-tree. After he adds it at almost the exact same time the injection is added to flatmap-stream, he bumps the version and publishes. Literally the second commit (3 days later) after that he removes the injection and bumps a major version so he can clear the repo of having flatmap-stream but still have everyone (millions of weekly installs) using 3.x affected,” – Ayrton Sparling wrote.
The developer updated the module with malware and then patched the problem to avoid detection, but the numerous people who had already installed it remain affected.
Later, the BitPay team released the statement regarding the vulnerability. The team confirmed that the malicious code was deployed on versions 5.0.2 through 5.1.0 of their Copay and BitPay apps. The BitPay app was not vulnerable to the malicious code. BitPay is still investigating whether this code vulnerability was ever exploited against Copay users.
“Our team is continuing to investigate this issue and the extent of the vulnerability. In the meantime, if you are using any Copay version from 5.0.2 to 5.1.0, you should not run or open the app. A security update version (5.2.0) has been released and will be available for all Copay and BitPay wallet users in the app stores momentarily,” – reads the statement.
The team adds that private keys on affected wallets may have been compromised, so users should move funds to new wallets (v5.2.0) immediately. Users should not attempt to move funds to new wallets by importing affected wallets’ twelve word backup phrases (which correspond to potentially compromised private keys). Users should first update their affected wallets (5.0.2-5.1.0) and then send all funds from affected wallets to a brand new wallet on version 5.2.0, using the Send Max feature to initiate transactions of all funds.