The attacker injected a malicious code, called Event-Stream, into a NodeJS package that is used by the Copay and BitPay apps enabling an attacker to steal a wallet’s private keys, a fact confirmed by Bitpay. Bitpay warned users to assume their private keys on affected wallets have been compromised, so any funds should be moved to new wallets immediately.
“Currently we have only confirmed that the malicious code was deployed on versions 5.0.2 through 5.1.0 of our Copay and BitPay apps. However, the BitPay app was not vulnerable to the malicious code. We are still investigating whether this code vulnerability was ever exploited against Copay users,” Bitpay said in a blog.
Bitpay recommends users to not shift any funds until the affected wallets are updated to version 5.2.0 and then to the newly created wallet using the Send Max feature to initiate transactions of all funds.
The problem started, according to a conversation on Github, when the code’s original minder, who goes by the handle dominictarr, transferred ownership of the module to someone with the handle “right9ctrl”. This new maintainer then issued a new release, Event-Stream 3.3.6, that contained the malware, according to the Github forum.
Several Github members took dominictarr to task for his move, which he said was done due to a lack of time on his part to maintain the code.
“You put at risk millions of people, and making something for free, but public, means you are responsible for the package,” wrote XhmikosR.
“There is a huge difference between not maintaining a repo/package, vs giving it away to a hacker (which actually takes more effort than doing nothing), then denying all responsibility to fix it when it affects millions of innocent people,” chimed in jaydenseric.
Casey Ellis, CTO at Bugcrowd, said right9ctrl was able to pull off the attack by submitting to the project, building trust and then obtaining control.
“The main takeaway with this attack is that in the world of modern software, it’s turtles all the way down... Just because the code you write is secure, doesn’t mean that the code other developers write for you is. The only way to get ahead of this is to practice deep and continuous abuse-case (i.e., security) testing,” he said.
One lone piece of good news was revealed by Mounir Hahad, head of the Juniper Threat Labs.
“Based on our research, there have been very few (single digit) attempts to connect to the threat actor’s command and control server hosting copayapi[.]host, which could be a good sign that not many people have been affected, if any at all,” he told SC Media.