Articles

Multiple tech news sites have reported that  event-stream , a popular JavaScript library with almost two million weekly downloads, contained malicious code for several weeks. It was first reported in a GitHub post last week, but developers were only able to decipher the purpose of the code yesterday. The code targeted users of the cryptocurrency wallet Copay, and was designed to steal Bitcoin and Bitcoin Cash.

GitHub user right9ctrl injected the malicious code in a package called flatmap-stream after offering to help maintain the library, according to a post on the Snyk security blog. Handing off control to other users happens frequently in open source communities, as the original authors and maintainers move on to other projects. Adding libraries as dependencies is also common in open source, although the  event-stream npm package hadn’t been substantially updated for about two years prior to September 2018, when flatmap-stream was first added. According to Ars Technica, the next phase took place on October 5, when malicious code was implemented to transfer the balances of Copay wallets to a server in Kuala Lumpur. 

Source de l’article sur DZONE