BTC, BCH of Copay Users at Risk After Developers Discover Malicious Code

Precious Bitcoins (BTC) and Bitcoin Cash (BCH) held by many owners could be in danger of being stolen after a code was maliciously injected onto two JavaScript-based cryptocurrency wallets to steal users’ private keys, among others.

The attacker injected the malicious code onto an open source library—Event-Stream—used by both BitPay and Copay crypto wallet applications. The inconspicuous code, developers have recently learned, would come to life only when used inside Copay.

Copay is a wallet developed by crypto payment service company BitPay.

With the malicious code, the attacker could potentially steal important wallet information and use them to siphon off cryptos to a different address.

However, it was still unclear as to whether the attacker had managed to steal private keys.

The BitPay team, on a post, said:

“[The] BitPay app was not vulnerable to the malicious code. We are still investigating whether this code vulnerability was ever exploited against Copay users. In the meantime, if you are using any Copay version from 5.0.2 to 5.1.0, you should not run or open the app.”

BitPay’s development team has since released updated versions of both wallet apps that do not use the poisoned library. The team recommended its users to transfer their funds to the new wallet version after updating their old wallets.

| Related: Amended Suit Filed Against Coinbase for Bitcoin Cash (BCH) Insider Trading