JavaScript Code Compromises Bitcoin Wallets

A popular JavaScript library has been compromised by an unknown hacker who inserted malicious code to steal from cryptocurrency wallets.

The widely used open source software that has been compromised is event-stream, a code library with 2 million downloads.

According to Bleeping Computer event-stream is built to simplify working with Node.js streaming modules and it is available through the npmjs.com repository.

Malicious code

Researchers found the malicious code last week, warned that earlier versions of the library includes a new component, ‘flatmap-stream’ version 0.1.1, that contains dangerous code.

This compromise was apparently introduced when Dominic Tarr, the original developer of Event-Stream, gave up the library and passed it to another developer, right9ctrl.

Unfortunately, it seems that Right9ctrl implemented the malicious changes as soon as they received access to the popular library. He or she then published the updated version.

“He [right9ctrl] emailed me and said he wanted to maintain the module, so I gave it to him. I don’t get anything from maintaining this module, and I don’t even use it anymore and haven’t for years,” Tarr reportedly said, adding that he no longer had publishing rights for the library on npmjs.com.

Dominic Tarr admitted he made a mistake by transferring the rights to the repository whilst it remained under his username.

It seems the malicious code targets libraries associated with the Copay Bitcoin wallet app, and it seems highly likely the intend was to steal wallet files.

Bleeping Computer said the injected code tries to steal the bitcoins in the wallet and then attempts to connect to copayapi.host and to the IP address 111.90.151.134 in Malaysia.

Right9ctrl later published an update without the malicious code embedded, in a move that some feel was designed to hide their tracks.

Do you know all about security? Try our quiz!

Tom Jowitt

Tom Jowitt is a leading British tech freelancer and long standing contributor to Silicon UK. He is also a bit of a Lord of the Rings nut...

Recent Posts

WhatsApp, Facebook Messenger To Integrate Chats – Report

Chat integration? Facebook is reportedly working to allow WhatsApp users to chat with Facebook Messenger…

10 hours ago

Apple Irish Back Tax Ruling Expected Next Week

Ruling in appeal against European Commission's order that Apple pay the Irish government $16 billion…

11 hours ago

Facebook Boycott Organisers Disappointed With Zuckerberg Meeting

No concessions. Organisers of the advertising boycott of Facebook left disappointed after meeting CEO Mark…

13 hours ago

Google Project Loon Finally Approved For Kenya Deployment

Two years after deal was first signed, Project Loon is approved by Kenyan government for…

14 hours ago

Tech Firms Withhold Data Sharing With Hong Kong

Tech giants pledge pause data sharing with authorities in Hong Kong, after China imposed draconian…

15 hours ago

Government ‘Planning Removal’ Of Huawei 5G Equipment

Government said to be considering dramatic reversal of earlier 5G plans on new security advice…

3 days ago