BTC, BCH of Copay Users at Risk After Developers Discover Malicious Code
The attacker injected the malicious code onto an open source library—Event-Stream—used by both BitPay and Copay crypto wallet applications. The inconspicuous code, developers have recently learned, would come to life only when used inside Copay.
Copay is a wallet developed by crypto payment service company BitPay.
Yikes. The @BitPay Copay wallet was/is vulnerable to keys being stolen due to the "event-stream" @npmjs module containing malware because @dominictarr handed over maintenance of the module to a random person who emailed him. Millions of other NPM module users also affected. 😲 https://t.co/zYdc1rwlVm
— Jackson Palmer (@ummjackson) November 26, 2018
With the malicious code, the attacker could potentially steal important wallet information and use them to siphon off cryptos to a different address.
However, it was still unclear as to whether the attacker had managed to steal private keys.
The BitPay team, on a post, said:
“[The] BitPay app was not vulnerable to the malicious code. We are still investigating whether this code vulnerability was ever exploited against Copay users. In the meantime, if you are using any Copay version from 5.0.2 to 5.1.0, you should not run or open the app.”
BitPay’s development team has since released updated versions of both wallet apps that do not use the poisoned library. The team recommended its users to transfer their funds to the new wallet version after updating their old wallets.