Malicious Hacker Secretly Accessed JavaScript Library to Swindle Bitcoin Funds

A hacker has accessed a JavaScript library and inserted malicious code which steals crypto funds, specifically Bitcoin Core (BTC) and Bitcoin Cash (BCH), kept inside BitPay's Copay wallet applications.

The existence of this malevolent code was discovered last week, but it was only on Monday, November 26, when researchers were able to determine what the highly darkened malevolent code really did.   

Dormant While not in Use   

The library loading the malevolent code is dubbed Event-Stream, a JavaScript NPM package for operating with Node.js streaming data.   

Right9ctrl earlier released Event-Stream 3.3.6 which had a new dependency on Flatmap-Stream library V0.1.1,  the place where the malevolent code was stored.   

Users on GitHub, Hacker News and Twitter, said that this malevolent code lays inactive until it's applied inside the source code of the desktop & mobile wallet App Copay which was developed by BitPay, a Bitcoin payments platform.   

Once the malevolent code has been assembled and launched inside infected versions of the Copay wallet App, it will swindle clients' wallet data, and then transfer it to copayapi.host URL with port 8080.   

Experts believe that the hacker used this data to empty victims' wallets. According to the blog post, the team from Copay revealed that all versions ranging from 5.0.1 to 5.1.0 were regarded infected and advised clients to update to the latest versions such as 5.2.0 or later.   

Not just Once   

This seems not to be the first JavaScript-related security matter that has happened in recent years. For instance, in July, 2018, a hacker infected the ESLint library with malevolent code which was created to steal the NPM particulars of other developers.   

In May this year, a hacker attempted to conceal a backdoor in another famous NPM package called getcookies.  

And in August last year, the NPM group removed 38 JavaScript NPM packages' caught stealing environment variables from other projects, including information such as API keys and passwords.