A hacker or hackers sneaked a backdoor into a widely used open-source code library with the aim of surreptitiously stealing funds stored in bitcoin wallets, software developers said Monday.
The malicious code was inserted in two stages into event-stream, a code library with 2 million downloads that’s used by Fortune 500 companies and small startups alike. In stage one, version 3.3.6 published on September 8 included a benign module known as flat-stream. Stage two was implemented on October 5 when flat-steam was updated to include malicious code that attempted to steal Bitcoin wallets and transfer their balances to a server located in Kuala Lumpur. The backdoor came to light last Tuesday with this report from Github user Ayrton Sparling. Officials with the NPM, the open-source project manager that hosted event-stream, didn’t issue an advisory until Monday, six days later.
NPM officials said the malicious code was designed to target people using a Bitcoin wallet developed by Copay, a company that incorporated event-stream into its app. This release from earlier this month shows Copay updating its code to refer to flat-stream, but a Copay official said in a Github discussion that the malicious code was never deployed in any platforms. After this post went live, Copay officials updated their comment to say they did, in fact, release platforms that contained the backdoor.