A GitHub user has uncovered an intentionally compromised Node.js module called event-stream which appears to have exposed vulnerabilities in the BitPay wallet.

In what appears to be something of a cloak and dagger affair, a GitHub user appears to have uncovered the work of a malicious actor who did their best to cover their tracks after they had injected malware into the event-stream module which would make it possible for wallets to be hacked.

The sinister code was uncovered by a GitHub user using the ID deanveloper and raised on the site. Whilst the problem with the event-stream module was raised earlier in the week, the link with possible vulnerabilities this created in the BitPay Wallet, Copay was only recently established.

Access Granted to Malicious Developer

In what appears to be a lapse in judgement, a user, dominictarr, who was originally in charge of maintaining the event-stream Node.js module was contacted by another user under the alias right9ctrl. Dominictarr stated that the user was interested in maintaining the module and since he did not use it anymore, he handed it over.

“he emailed me and said he wanted to maintain the module, so I gave it to him. I don’t get any thing from maintaining this module, and I don’t even use it anymore, and haven’t for years.” He wrote on GitHub.

Unfortunately, it appears to have turned out that this was a malicious actor who proceeded to inject malware into the code and then use a patch to cover their tracks.

This is significant. A huge number of applications all over the internet use the event-stream Node.js module; notably within the cryptocurrency community, it’s used by BitPay’s open-source bitcoin wallet, Copay. Its compromise means the compromising of BitPay users wallets alike, potentially leaking private keys.

Am I affected?

It seems odd that a big player like BitPay would use code from this fairly obscure library. In a pinned post on GitHub, with details including what happened and what to do, Ayrton Sparling wrote:

“He added flatmap-stream which is entirely (1 commit to the repo but has 3 versions, the latest one removes the injection, unmaintained, created 3 months ago) an injection targeting ps-tree. After he adds it at almost the exact same time the injection is added to flatmap-stream, he bumps the version and publishes. Literally the second commit (3 days later) after that he removes the injection and bumps a major version so he can clear the repo of having flatmap-stream but still have everyone (millions of weekly installs) using 3.x affected.”

Use of Upstream Libraries

Situations like this one shine a light of validity on the concerns of many who aren’t open-source coders: how can you trust others in this situation? Particularly regarding the use of code at high levels like through BitPay, this seems highly risky. But the simple fact is the pros seem to outweigh the cons. Open-source enables work to get done much faster and with a better input from a wider community. The question should perhaps be better directed at BitPay, as to why they aren’t taking more care to maintain libraries essential to their product.

Image Source: “Flickr”