Hacker backdoors popular JavaScript library to steal Bitcoin funds

Users of BitPay's Copay desktop and mobile wallet apps are affected. An update has been released earlier today that doesn't contain the malicious code.


A hacker has gained (legitimate) access to a popular JavaScript library and has injected malicious code that steals Bitcoin and Bitcoin Cash funds stored inside BitPay’s Copay wallet apps.

The presence of this malicious code was identified last week, but only today have researchers been able to understand what the heavily obfuscated malicious code actually does.

 The library loading the malicious code is named Event-Stream, a JavaScript npm package for working with Node.js streaming data.

This is an extremely popular JavaScript library, with over two million weekly downloads on the npm.org repository, but about three months ago, its original author, due to a lack of time and interest, handed its development over to another programmer named Right9ctrl.

But according to an eagle-eyed user who spotted issues with Event-Stream last week, Right9ctrl had immediately poisoned the library with malicious code.

Right9ctrl released Event-Stream 3.3.6 which contained a new dependency –for the Flatmap-Stream library version 0.1.1. The Flatmap-Stream library v0.1.1 is where the malicious code resides.

According to users on Twitter, GitHub, and Hacker News, this malicious code lays dormant until it’s used inside the source code of Copay, a desktop and mobile wallet app developed by Bitcoin payment platform BitPay.

Once the malicious code has been compiled and shipped inside poisoned versions of the Copay wallet app, it will steal users’ wallet information, including private keys, and send it to the copayapi.host URL on port 8080.

It is believed that the hacker is using this information to empty victims’ wallets. For the time being, it is safe to believe that all versions of the Copay wallet released in September, October, and this month, are considered to have been infected.

Earlier today, the BitPay team released Copay v5.2.2 to remove the Event-Stream and Flatmap-Stream dependencies.

Maintainers of the npm.org JavaScript package repository have also intervened and taken down the Flatmap-Stream library from their site, making it inaccessible to all the projects where this was being loaded via the npm package installer utility.

The malicious Event-Stream v3.3.6 has also been taken down from npm.org, but the Event-Stream library is still available. This is because Right9ctrl, in an attempt to hide his malicious code, released subsequent versions of Event-Stream that didn’t contain any malicious code.

Project maintainers who use these two libraries are advised to update their dependency trees to the latest version available –Event-Stream version 4.0.1. This link contains a list of all the 3,900+ JavaScript npm packages where Event-Stream is loaded as a direct or indirect dependency.

This manual update/removal step is necessary as some projects are configured to cache all dependencies locally, and might not trigger the usual console error when attempting to download a non-existent npm package from npm.org when building a new project version.

This is not the first JavaScript/npm-related security issue that has taken place in the past years. In July this year, a hacker compromised the ESLint library with malicious code that was designed to steal the npm credentials of other developers.

In May 2018, a hacker tried to hide a backdoor in another popular npm package named getcookies.

In August 2017, the npm team removed 38 JavaScript npm packages that were caught stealing environment variables from other projects, in an attempt to collect project-sensitive information, such as passwords or API keys.