The malicious code was introduced in the version 3.3.6, published on September 9 via the Node Package Manager (NPM) repository.
The Event-Stream library is a very popular NodeJS module used to allow developers the management of data streams, it has nearly 2 million downloads a week.
It has been estimated that the tainted version of the library was downloaded by nearly 8 million developers.
The library was created by Dominic Tarr, who maintained it for a long time, but when he left the project allowed an unknown programmer, called “right9ctrl” to continue its work.
“he emailed me and said he wanted to maintain the module, so I gave it to him. I don’t get any thing from maintaining this module, and I don’t even use it anymore, and havn’t for years.” wrote Tarr.
Tarr trusted right9ctrl because of his important contributions to the project, but the expert once gained the access to the library, released a new version released Event-Stream version 3.3.6, containing a new library, called Flatmap-Stream, as a dependency, which was specifically designed to implement the malicious feature.
The bad news is that the code remained undetected for more than 2 months because it was encrypted. The malicious code spotted by a computer science student at California State University, Ayrton Sparling (FallingSnow handle on gitHub), who reported it.
“If you are using anything crypto-currency related, then maybe. As discovered by @maths22, the target seems to have been identified as copay related libraries. It only executes successfully when a matching package is in use (assumed to be copay at this point).” reported Sparling on GitHub
“If you are using a crypto-currency related library and if you see firstname.lastname@example.org after running npm ls event-stream flatmap-stream, you are most likely affected.
$ npm ls event-stream flatmap-stream
The manager of the NPM repository who analyzed the malicious code discovered that it was designed to target people using the open-source bitcoin wallet app BitPay, distribution of the Copay project, that leverages the event-stream.
A security advisory published by BitPay confirms that Copay versions 5.0.2 through 5.1.0 were affected by the malicious code, the organization released the Copay version 5.2.0 to address the issue.
“We have learned from a Copay GitHub issue report that a third-party NodeJS package used by the Copay and BitPay apps had been modified to load malicious code which could be used to capture users’ private keys. Currently we have only confirmed that the malicious code was deployed on versions 5.0.2 through 5.1.0 of our Copay and BitPay apps. However, the BitPay app was not vulnerable to the malicious code. We are still investigating whether this code vulnerability was ever exploited against Copay users.” BitPay says in the advisory.
“Users should assume that private keys on affected wallets may have been compromised, so they should move funds to new wallets (v5.2.0) immediately.Users should not attempt to move funds to new wallets by importing affected wallets’ twelve word backup phrases (which correspond to potentially compromised private keys). Users should first update their affected wallets (5.0.2-5.1.0) and then send all funds from affected wallets to a brand new wallet on version 5.2.0, using the
Send Max feature to initiate transactions of all funds.”
The malicious code allows the attackers to steal digital coins stored in the Dash Copay Bitcoin wallets and transfer them to a server located in Kuala Lumpur, Malaysia.
On Monday, NPM maintainers removed the backdoor from the repository.