The presence of this malicious code was identified last week, but only today have researchers been able to understand what the heavily obfuscated malicious code actually does.
But according to an eagle-eyed user who spotted issues with Event-Stream last week, Right9ctrl had immediately poisoned the library with malicious code.
Right9ctrl released Event-Stream 3.3.6 which contained a new dependency –for the Flatmap-Stream library version 0.1.1. The Flatmap-Stream library v0.1.1 is where the malicious code resides.
According to users on Twitter, GitHub, and Hacker News, this malicious code lays dormant until it’s used inside the source code of Copay, a desktop and mobile wallet app developed by Bitcoin payment platform BitPay.
Once the malicious code has been compiled and shipped inside poisoned versions of the Copay wallet app, it will steal users’ wallet information, including private keys, and send it to the copayapi.host URL on port 8080.
It is believed that the hacker is using this information to empty victims’ wallets. For the time being, it is safe to believe that all versions of the Copay wallet released in September, October, and this month, are considered to have been infected.
Earlier today, the BitPay team released Copay v5.2.2 to remove the Event-Stream and Flatmap-Stream dependencies.
The malicious Event-Stream v3.3.6 has also been taken down from npm.org, but the Event-Stream library is still available. This is because Right9ctrl, in an attempt to hide his malicious code, released subsequent versions of Event-Stream that didn’t contain any malicious code.
This manual update/removal step is necessary as some projects are configured to cache all dependencies locally, and might not trigger the usual console error when attempting to download a non-existent npm package from npm.org when building a new project version.
In May 2018, a hacker tried to hide a backdoor in another popular npm package named getcookies.