A piece of open-source script called event-stream, has found itself compromising BitPay’s open-source bitcoin wallet, Copay. The Node.js module, event-stream, is found in a multitude of web apps, and with streams being a node’s best and also one of the most misunderstood ideas, event-stream was supposed to be a toolkit to make creating and working with streams simple. However, the event-stream dependency attack was designed to steal wallets from Copay users.
If a users overall application has both this malicious package and “copay-dash”, then the code would attempt to steal the bitcoins stored in it.
Addressing the matter on GitHub, a web-based hosting service for a version control system designed in tracking changes in computer files and coordinating work on those files among multiple people, Ayrton Sparling unde the username FallingSnow, detailed the malicious codes execution venue.
“If you are using anything crypto-currency related, then maybe. As discovered by @maths22, the target seems to have been identified as copay related libraries. It only executes successfully when a matching package is in use (assumed to by copay at this point). If you are using a crypto-currency related library and if you see [email protected] after running npm ls event-stream flatmap-stream, you are most likely affected.”
How the sneaky bit of code enter the equation, started when event-stream’s previous maintainer, Dominic Tarr, was contacted by “right9ctrl” for control over the unmaintained repository. After gaining control, it is undetermined if the code that could steal a wallets private keys was done with intent or out of naivety.
“He added flatmap-stream which is entirely (1 commit to the repo but has 3 versions, the latest one removes the injection, unmaintained, created 3 months ago) an injection targeting ps-tree. After he adds it at almost the exact same time the injection is added to flatmap-stream, he bumps the version and publishes. Literally the second commit (3 days later) after that he removes the injection and bumps a major version so he can clear the repo of having flatmap-stream but still have everyone (millions of weekly installs) using 3.x affected.”
The open-source community have gone back and forth as to the responsibility of the hack. Dominic Tarr’s stance appears to be that since this is a volunteer service when the hacker emailed him, asking to maintain the module, Tarr gave it freely. Tarr stated “I don’t get [anything] from maintaining this module, and I don’t even use it anymore, and [haven’t] for years.”
While this outlook is understandable, as this responsibility was taken up freely and without contract, the other community members disagreed, stating that he put millions of people at risk, and that despite giving any creation freely, if it’s given to the public, then the responsibility for the package lies with the creator.