Malicious code injected into BitPay’s Copay wallet steals private keys

Copay, the multisignature wallet from BitPay, described itself as a “secure, shared Bitcoin wallet.” That, apparently, hasn’t been the case for the past several months.

On Monday, BitPay warned users that its open-source wallet has been compromised by a malware that “could be used to capture users’ private keys.” According to the blockchain payments company, users “should assume that private keys on affected wallets may have been compromised”—specifically versions 5.0.2 through 5.1.0 of the Copay and BitPay apps—and they should move their funds to the 5.2.0 version of the app immediately.

The malicious code in question has been injected into a Node.js module called Event-Stream by a new user who given access to the popular JavaScript library by its original author three months ago. Dominic Tarr, previous maintainer of the repository, said he entrusted its development to a new user called right9ctrl who “wanted to maintain the module.”

The new maintainer then proceeded to release Event-Stream 3.3.6 containing Flatmap-Stream library 0.1.1, where the malicious code resides. On GitHub, Ayrton Sparling explained: “He added flatmap-stream which is entirely (1 commit to the repo but has 3 versions, the latest one removes the injection, unmaintained, created 3 months ago) an injection targeting ps-tree. After he adds it at almost the exact same time the injection is added to flatmap-stream, he bumps the version and publishes. Literally the second commit (3 days later) after that he removes the injection and bumps a major version so he can clear the repo of having flatmap-stream but still have everyone (millions of weekly installs) using 3.x affected.”

The malicious code only executes successfully if its’s used inside the Copay source code, stealing a user’s wallet information such as private keys, which it sends to the URL on port 8080. According to user Nicolas Noble, “If your overall application has both this malicious package and “copay-dash”, then it’s going to try stealing the bitcoins stored in it.”

BitPay said its BitPay app was not vulnerable to the code, noting that it’s still investigating whether the code vulnerability affected any Copay users. BitPay warned, “Users should not attempt to move funds to new wallets by importing affected wallets’ twelve word backup phrases (which correspond to potentially compromised private keys). Users should first update their affected wallets (5.0.2-5.1.0) and then send all funds from affected wallets to a brand new wallet on version 5.2.0, using the Send Max feature to initiate transactions of all funds.”

At press time, the Event-Stream 3.3.6 version has already been taken down, although the Event-Stream library remains available after Right9ctrl released other versions of the module in an effort to hide his malicious code. And the damage, as they say, has been done.

New to blockchain? Check out CoinGeek’s Blockchain for Beginners section, the ultimate resource guide to learn more about blockchain technology.