Multiple tech news sites have reported that
GitHub user right9ctrl injected the malicious code in a package called
flatmap-stream after offering to help maintain the library, according to a post on the Snyk security blog. Handing off control to other users happens frequently in open source communities, as the original authors and maintainers move on to other projects. Adding libraries as dependencies is also common in open source, although the
event-stream npm package hadn’t been substantially updated for about two years prior to September 2018, when
flatmap-stream was first added. According to Ars Technica, the next phase took place on October 5, when malicious code was implemented to transfer the balances of Copay wallets to a server in Kuala Lumpur.