BitPay wallet vulnerability caused by use of popular JavaScript library

Quick Take

  • The vulnerability allowed for bitcoin and bitcoin cash to be stolen from user accounts 
  • Many apps make use of the compromised code, but only crypto-wallet apps were affected

A vulnerability on the popular Javascript library event-stream, used for streaming data in Node.js applications, affected BitPay's Copay wallet application, which depended on the library downstream. The vulnerability enabled malevolent actors to steal bitcoin and bitcoin cash from accounts using BitPay's Copay wallet application. Popular applications are built on many layers of open-source tooling. With too many changes to track manually, developers often take for granted the stability of large open-source libraries.

In this case, the malicious addition to the library was a very well-executed social attack where the attacker, an anonymous developer with the handle right9ctrl, was given control of the code repository from maintainer Dominic Tarr three months ago, after offering to help maintain the code.

The malicious code was flagged in the original repository six days ago but only understood more recently as it specifically targeted the app Copay,