Popular npm library contained malicious code to steal cryptocurrencies

Criminals supplied Event-Stream, a popular JavaScript npm library, with malicious code. The code was used for BitPay’s Copay apps and could therefore penetrate wallets and steal bitcoin and bitcoin cash.

Last week it was discovered that Event-Stream had malicious code, but at that time it was not yet known what the code did. The npm library for Node.js streaming data is downloaded about two million times a week from npmjs.com.

The code injection took place October 5 at Flatmap-Stream, which developer @right9ctrl added to Event-Stream 3.3.6 in September and then published that version. Three days later he published a new version, without the injection, but by then there were already a large number of installations. The original developer, Dominic Tarr, had previously transferred control of Event-Stream to @right9ctrl because he lacked the time and interest in further development, ZDNet writes. Flatmap-Stream 1.1 can no longer be installed via npm.

After analyzing the malicious code, it was found to have no effect until it was used by some developers in the source code of Copay, a wallet app from BitPay. After compiling for the consumer app, the code became active to target end users. Versions 5.0.2 to 5.1.0 were therefore vulnerable and should no longer be used, BitPay warns.

Within the app, the code was able to map wallet profiles and forward private keys to a server in Kuala Lumpur. The data could be used by criminals to steal bitcoin and bitcoin cash from the wallets. BitPay advises users to transfer funds to version 5.2.0 of the wallet as soon as possible.