A Node.js module with nearly two million downloads a week was compromised after the library was injected with malicious code programmed to steal bitcoins in wallet apps.
The Node.js library is called “event-stream,” a toolkit for developers to create and work with streams. The malicious code in question was identified earlier this week to be added to the library’s version 3.3.6, published in September and has since been downloaded by millions of application programmers.
The event-stream module was originally by Dominic Tarr, who maintained the library before handing the reins to a project contributor who goes by the handle “right9ctrl.” Tarr indicated that he has not used the module for years and transferred its ownership after he received an email regarding its maintenance. The new maintainer has since released event-stream version 3.3.6, with a new dependency called “flatmap-stream” that contained the malicious code.
Since the flatmap-stream module was encrypted, the malicious code remained undetected for over two months until Ayrton Sparling (FallingSnow) flagged the issue on GitHub last week.
Open-source project manager and event-stream host Node Package Manager (NPM) has since reviewed the obfuscated code and encrypted payload. NPM found that the malicious module has been designed to swipe bitcoins from Copay wallets, a wallet app by Bitcoin payment platform BitPay. Copay is said to have incorporated event-stream into its app.
The malicious code attempted to steal bitcoins stored in the Copay wallets and distributed via NPM in order to reportedly transfer the funds to a server located in Kuala Lumpur.
The backdoor has since been removed from NPM on Monday this week. BitPay has also published an advisory that users should update their Copay wallets (versions 5.0.2 through 5.1.0) to version 5.2.0 as the older versions may have been compromised. The company also clarified that the BitPay app was not affected by the malicious code.
Defending Against Cryptocurrency-Mining Malware
Copay users are advised to avoid running or opening affected versions (5.0.2 to 5.1.0) and immediately update their wallets to version 5.2.0. Users who ran the vulnerable versions of the software should assume that their private keys have been affected by the malware and should move their funds to Copay 5.2.0 or later.