A mystery payload that was sneaked into a hugely popular JavaScript library seems to have been a deliberate plot to ransack bitcoins from a mobile cryptocoin wallet known as Copay, from a company called BitPay.
Back in September 2018, the author of a popular Node.js utility package called event-stream, used for sending and receiving data, handed over the reins to a new maintainer going by the handle of Right9ctrl.
Days later, the new maintainer released an update to the package, version 3.3.6, to which he’d added additional code from an apparently related package called flatmap-stream.
In early October, another event-stream update appeared, as though Right9ctrl were throwing himself enthusiastically into his new role at the helm of the project…
…except that, on 20 November 2018, someone investigating an error in event-stream discovered cryptocurrency-stealing malware, hidden in the flatmap-stream component.
Lock up your Bitcoins
Because event-stream is used in thousands of projects, working out the payload’s target was an urgent priority.
This week, after frantic research, the intended victims were revealed: users of the Copay cryptowallet software.
Cue relief, mixed with frustration, for anyone not targeted. Developer Chris Northwood wrote :
We’ve wiped our brows as we’ve got away with it, we didn’t have malicious code running on our dev machines, our CI servers, or in prod. This time.
What to do?
There are two sets of worried users here – developers using event-stream, and customers using the Copay wallet – both groups will probably be wondering what is safe and what is not.
On 26 November 2018, NPM reportedly took down the compromised versions of flatmap-stream and event-stream.
Intriguingly, version 4.0.1 of event-stream is still available – even though it ws uploaded by Right9ctrl.
As far as we know, version 4.0.1 is malware-free, presumably uploaded to try to distract suspicion from the unscrupulous changes introduced in version 3.3.6.
Developers who are still willing to trust event-stream and keep on using it should update their dependencies to reflect this (here’s hoping they realise that this is now necessary).
As for the Copay wallet, BitPay released a statement noting that the malicious code was present in versions 5.0.2 through 5.1.0 of the Copay and BitPay apps.
Users should download version 5.2.0 as soon as possible, and reading the company’s full instructions.
In summary:
- If you still have any Copay version from 5.0.2 to 5.1.0 installed, don’t run or open the app.
- If you’re a Copay user who ran an infected version of the software, you should assume that your private keys have been compromised. Move your funds to new wallets, using Copay 5.2.0 or later, as soon as possible.
The last thing for the development community to do, of course, is to ponder why Right9ctrl was so easily able to take over this widely-used project, and why many developers immediately and blindly trusted the new maintainer.
As an exasperated Chris Northwood said:
Nothing’s stopping this happening again, and it’s terrifying.
Leave a Reply