Multiple cryptocurrency wallets compromised

This site is reader-supported. When you click through links on our site, we may be compensated.

A Node.js module called event-stream is used by millions of web applications, including BitPay’s open-source bitcoin wallet Copay,  and this module was reportedly compromised recently leading to a host of issues for the wallets relying on the underlying code.

A user with very little activity on GitHub requested publishing rights to the event-stream module from the original creator Dominic Tarr, who said that he had not maintained the repo in years and gave control to the new user, right9ctrl.

According to a complaint on GitHub, the new maintainer right9ctrl may have injected malware into the module. It is unclear if he did so knowingly, but the end effect is that the module can leak private keys from applications that rely on both the event-stream and copay-dash modules.

Ayrton Sparling wrote:

“He added flatmap-stream which is entirely (1 commit to the repo but has 3 versions, the latest one removes the injection, unmaintained, created 3 months ago) an injection targeting ps-tree. After he adds it at almost the exact same time the injection is added to flatmap-stream, he bumps the version and publishes. Literally the second commit (3 days later) after that he removes the injection and bumps a major version so he can clear the repo of having flatmap-stream but still have everyone (millions of weekly installs) using 3.x affected.”

Basically, the developer updated the module with malware and then patched the problem to avoid detection, but the numerous people who had already installed it remain affected. Copay whose open-source code is itself used by many crypto applications is one of many that use the module, but it happens to be built and maintained by a multi-million dollar Bitcoin payment processing company BitPay which raises other questions.

Why Does BitPay Use Upstream Libraries?

Gary Bernhardt@garybernhardt

An NPM package with 2,000,000 weekly downloads had malicious code injected into it. No one knows what the malicious code does yet. https://github.com/dominictarr/event-stream/issues/116 

I don't know what to say. · Issue #116 · dominictarr/event-stream

@dominictarr Why was @right9ctrl given access to this repo? He added flatmap-stream which is entirely (1 commit to the repo but has 3 versions, the latest one removes the injection, unmaintained, c…

github.com

Sven Slootweg@joepie91

We know now: it targeted copay-dash, a Bitcoin wallet, and steals the wallet files.

Those outside of the open source development scene may have the misconception that development on these projects is largely done as a hobby, but this is far from the case. The majority of open source development, such as work on Bitcoin Core or work on the Linux Kernel, for instance, is done by developers who are employed by companies.

Brian Hoffman 

@brianchoffman

You do know how many products and services do this? This is a much bigger issue than just BitPay.

See Brian Hoffman's other Tweets

Companies like Red Hat contribute code to the Linux Kernel and companies like Blockstream employ Bitcoin Core developers. The reason is obvious: while they could simply wait on releases and rely on the work of others, these companies understandably have goals and deadlines as well as significant money at stake.

Jackson Palmer

@ummjackson

Looks like this attack was specifically crafted to target a NPM module used by the Copay wallet.

View image on Twitter

Jackson Palmer

@ummjackson

This is one of the major issues with JavaScript-based cryptocurrency wallets with heavy up-stream dependencies coming from NPM. @BitPay essentially trusted all the up-stream developers to never inject malicious code into their wallet.@dominictarr also let the attacker in, sadly

See Jackson Palmer's other Tweets

 

With millions upon millions of dollars in client wallets are being entrusted to these companies, the onus is on them to thoroughly test these upstream modules. If BitPay is not interested in actively developing libraries like event-stream, then they should use forked versions, verifying that each update is safe. Instead, as many industry stakeholders have alleged, they’ve demonstrated incompetence.

Advertisements

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.