The widely used open source software that has been compromised is event-stream, a code library with 2 million downloads.
According to Bleeping Computer event-stream is built to simplify working with Node.js streaming modules and it is available through the npmjs.com repository.
Researchers found the malicious code last week, warned that earlier versions of the library includes a new component, ‘flatmap-stream’ version 0.1.1, that contains dangerous code.
This compromise was apparently introduced when Dominic Tarr, the original developer of Event-Stream, gave up the library and passed it to another developer, right9ctrl.
Unfortunately, it seems that Right9ctrl implemented the malicious changes as soon as they received access to the popular library. He or she then published the updated version.
“He [right9ctrl] emailed me and said he wanted to maintain the module, so I gave it to him. I don’t get anything from maintaining this module, and I don’t even use it anymore and haven’t for years,” Tarr reportedly said, adding that he no longer had publishing rights for the library on npmjs.com.
Dominic Tarr admitted he made a mistake by transferring the rights to the repository whilst it remained under his username.
It seems the malicious code targets libraries associated with the Copay Bitcoin wallet app, and it seems highly likely the intend was to steal wallet files.
Bleeping Computer said the injected code tries to steal the bitcoins in the wallet and then attempts to connect to copayapi.host and to the IP address 22.214.171.124 in Malaysia.
Right9ctrl later published an update without the malicious code embedded, in a move that some feel was designed to hide their tracks.
Do you know all about security? Try our quiz!