Hacker Infects Node.js Package to Steal from Bitcoin Wallets
A Node.js module with nearly two million downloads a week was compromised after the library was injected with malicious code programmed to steal bitcoins in wallet apps.
The Node.js library is called “event-stream,” a toolkit for developers to create and work with streams. The malicious code in question was identified earlier this week to be added to the library’s version 3.3.6, published in September and has since been downloaded by millions of application programmers.
The event-stream module was originally by Dominic Tarr, who maintained the library before handing the reins to a project contributor who goes by the handle “right9ctrl.” Tarr indicated that he has not used the module for years and transferred its ownership after he received an email regarding its maintenance. The new maintainer has since released event-stream version 3.3.6, with a new dependency called “
Open-source project manager and event-stream host Node Package Manager (NPM) has since reviewed the obfuscated code and encrypted payload. NPM found that the malicious module has been designed to swipe bitcoins from Copay wallets, a wallet app by Bitcoin payment platform BitPay. Copay is said to have incorporated event-stream into its app.
The malicious code attempted to steal bitcoins stored in the Copay wallets and distributed via NPM in order to reportedly transfer the funds to a server located in Kuala Lumpur.
The backdoor has since been removed from NPM on Monday this week. BitPay has also published an advisory that users should update their Copay wallets (versions 5.0.2 through 5.1.0) to version 5.2.0 as the older versions may have been compromised. The company also clarified that the BitPay app was not affected by the malicious code.
Defending Against Cryptocurrency-Mining Malware
Copay users are advised to avoid running or opening affected versions (5.0.2 to 5.1.0) and immediately update their wallets to version 5.2.0. Users who ran the vulnerable versions of the software should assume that their private keys have been affected by the malware and should move their funds to Copay 5.2.0 or later.
Trend Micro™ Deep Discovery Inspector™ protects customers via this DDI rule:
- DDI Rule ID 26: C&C callback attempt
Indicators of Compromise (IoCs)
Related hashes (SHA-256):
- afc100fb28f7bac05e41d9ae33f184502b8068642b7fd05970eb72bf1786892c - Coinminer.Win32.MALBTC.AA
- 8b90859b19e3e3dea8d923996709210ed48ff3249563f56ff12eb1936ffcc295 - Coinminer.Win32.MALBTC.AA
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.
- Ransomware Spotlight: TargetCompany
- Email Threat Landscape Report: Cybercriminal Tactics, Techniques That Organizations Need to Know
- Preventing an Imminent Ransomware Attack With Early Detection and Investigation
- Inside the Halls of a Cybercrime Business
- Securing Cloud-Native Environments with Zero Trust: Real-World Attack Cases