Several Bitcoin wallets have been compromised by an unknown rogue developer. The hack is believed to be caused by a mixture of social engineering, laziness, and incompetence.
An issue with a node.js module called event-stream was found to be compromised. Initially, the issue was spotted by deanveloper, a GitHub user, who posted the issue earlier this week. Though this problem was discussed the whole week on Github, the connection with bitcoin wallet was only discovered earlier today.
Previously, a user with less experience in coding on Github requested the publishing rights to the event-stream library from its previous maintainer, Dominic Tarr, who hasn’t maintained the repository in years. Tarr even accepted this transfer of publishing rights to a new user namely right9ctrl and claimed that this user has the publishing rights over the module, event-stream.
The user, right9ctrl, is suspected to have pulled a sneaky move to inject the malware into the module. Consequently, the added code was able to leak private keys from all the applications that used event-stream and copay-dash modules.
The additional code merged into the module is suspected to be malicious because it was targeted especially for Bitcoin wallets. Event-stream is used in millions of web applications including the notable BitPay’s open source bitcoin wallet Copay.
This breach has affected Copay and other major Bitcoin wallets. The open-source code used by Copay is used in many applications. This has led to a belief that effects have been more than just a bitcoin wallet. Copay is maintained by a multi-million dollar Bitcoin payment processing company BitPay.
One of the developer namely, Ayrton explained the issue as :
“He added flatmap-stream which is entirely (1 commit to the repo but has 3 versions, the latest one removes the injection, unmaintained, created 3 months ago) an injection targeting ps-tree. After he adds it at almost the exact same time the injection is added to flatmap-stream, he bumps the version and publishes. Literally the second commit (3 days later) after that he removes the injection and bumps a major version so he can clear the repo of having flatmap-stream but still have everyone (millions of weekly installs) using 3.x affected.”
Long story short, the new event-stream maintainer right9ctrl updated the module with malware and patched over the problem.
The week started roughly for the Bitcoin industry as the world’s largest cryptocurrency is down by more than 35% in just a week. Now, it might get even rougher.