Malicious code was found in open-source Copay and BitPay. Now fixed, but stayed unnoticed for a while
EventStream is one of the libraries that adds a lot of useful functions to Node.js. It has 2 million downloads and is used by Fortune 500 companies and many startups, with Copay and BitPay wallets being two of those companies.
EventStream is an open source code library and for a long time has been maintained by github user dominictarr.
At one point Dominic got tired and passed the publish rights to a random person who emailed him and asked him to give him the rights.
Yikes. The @BitPay Copay wallet was/is vulnerable to keys being stolen due to the "event-stream" @npmjs module containing malware because @dominictarr handed over maintenance of the module to a random person who emailed him. Millions of other NPM module users also affected. 😲 https://t.co/zYdc1rwlVm— Jackson Palmer (@ummjackson) November 26, 2018
The person updated the library to include more modules that contained malware. The malware was designed to target cryptocurrency wallets that would include it into their production code. This backdoor would allow the person to siphon crypto out of user wallets.
The vulnerability went undetected for several weeks. Fortunately, no funds were stolen and the backdoor was eliminated.
Re: event-stream library backdoor, a fun way to prevent this kind of attack would be to have pkg authors sign their releases with a Bitcoin pubkey that can spend a txout, then pin dependencies to that specific txout.— Peter Todd (@peterktodd) November 26, 2018
Prevents package ownership transfer w/o pubkey change b/c $$$ pic.twitter.com/LE6hkNgch6
For those interested in more details regarding the incident, you can access the comprehensive article entitled 'Widely used open source software contained bitcoin-stealing backdoor.'