• Forum has been upgraded, all links, images, etc are as they were. Please see Official Announcements for more information

Numerous Bitcoin Wallets May Have Been Compromised by Rogue Developer

qwizzie

qwizzie

Well-known member
https://www.ccn.com/breaking-numerous-bitcoin-wallets-may-have-been-compromised-by-rogue-developer/

A user with very little coding activity on GitHub requested publishing rights to the event-stream library from its previous maintainer, Dominic Tarr, who said that he had not maintained the repository
in years and gave control to the new user, called right9ctrl.

The library event-stream is used in many Node.js applications. According to a complainant on GitHub, the new maintainer right9ctrl either pulled a sneaky move to inject malware or unknowingly had the
same effect as if he had, that effect being that it would leak private keys from applications that relied on both the event-stream and copay-dash modules.

Basically, the developer updated the module with malware and then patched the problem to avoid detection, but the numerous people who had already installed it remain affected.
Copay — whose open-source code is itself used by many crypto applications — would be just one of many that use the library, but it happens to be built and maintained by a multi-million dollar
Bitcoin payment processing company — BitPay — which raises questions on its own.
Click to expand...

Does Dash (Evolution) have a reliance on that library event-stream or the copay-dash modules ? And is the copay-dash module related to Dash ?

Tagging : @UdjinM6

Link describing the problem on Copay github : https://github.com/bitpay/copay/issues/9346
So, for people who try to understand what the malicious payload is doing: it's basically crawling your dependencies for a peer dependency on the package copay-dash, and it's an attack basically crafted towards this package.

If your overall application has both this malicious package and "copay-dash", then it's going to try stealing the bitcoins stored in it.
Click to expand...

Link to another article about this hack : https://arstechnica.com/information...y-used-open-source-software-to-steal-bitcoin/
 
Last edited:
Dash Copay is NOT affected !
the core team discuss the issues last night , obusco has all details, and NO problems for Dash Copay users
 
Pfff, that is a relief. Good to hear obusco / Alex Werner (lead developer backend of Dashpay) has all details.
Thanks.

Pretty shocking though to learn how Github can (still) form a vendor of attack on well-used libraries this way, hopefully Microsoft (who acquired Github) will do something about it.
 
Last edited:
You must log in or register to reply here.
Back
Top