The presence of this malicious code was identified last week, but only today have researchers been able to understand what the heavily obfuscated malicious code actually does.
But according to an eagle-eyed user who spotted issues with Event-Stream last week, Right9ctrl had immediately poisoned the library with malicious code.
Right9ctrl released Event-Stream 3.3.6 which contained a new dependency --for the Flatmap-Stream library version 0.1.1. The Flatmap-Stream library v0.1.1 is where the malicious code resides.
According to users on Twitter, GitHub, and Hacker News, this malicious code lays dormant until it's used inside the source code of Copay, a desktop and mobile wallet app developed by Bitcoin payment platform BitPay.
Once the malicious code has been compiled and shipped inside poisoned versions of the Copay wallet app, it will steal users' wallet information, including private keys, and send it to the copayapi.host URL on port 8080.
It is believed that the hacker is using this information to empty victims' wallets. In a blog post, the Copay team said all versions between 5.0.1 and 5.1.0 were officially deemed infected, and urged users to update to version 5.2.0 or later.
The malicious Event-Stream v3.3.6 has also been taken down from npmjs.com, but the Event-Stream library is still available. This is because Right9ctrl, in an attempt to hide his malicious code, released subsequent versions of Event-Stream that didn't contain any malicious code.
This manual update/removal step is necessary as some projects are configured to cache all dependencies locally, and might not trigger the usual console error when attempting to download a non-existent npm package from npmjs.com when building a new project version.
Also: The 10 languages developers use most in open source projects TechRepublic
In May 2018, a hacker tried to hide a backdoor in another popular npm package named getcookies.
Update on November 27, 03:00am ET: Updated to add link to Copay's blog post.
- Deserialization issues also affect Ruby, not just Java, PHP, and .NET
- WordPress team working on "wiping older versions from existence on the internet"
- GitHub security alerts now support Java and .NET projects
- New DDoS botnet goes after Hadoop enterprise servers
- Twelve malicious Python libraries found and removed from PyPI