qwizzie
Well-known member
https://www.ccn.com/breaking-numerous-bitcoin-wallets-may-have-been-compromised-by-rogue-developer/
Does Dash (Evolution) have a reliance on that library event-stream or the copay-dash modules ? And is the copay-dash module related to Dash ?
Tagging : @UdjinM6
Link describing the problem on Copay github : https://github.com/bitpay/copay/issues/9346
Link to another article about this hack : https://arstechnica.com/information...y-used-open-source-software-to-steal-bitcoin/
A user with very little coding activity on GitHub requested publishing rights to the event-stream library from its previous maintainer, Dominic Tarr, who said that he had not maintained the repository
in years and gave control to the new user, called right9ctrl.
The library event-stream is used in many Node.js applications. According to a complainant on GitHub, the new maintainer right9ctrl either pulled a sneaky move to inject malware or unknowingly had the
same effect as if he had, that effect being that it would leak private keys from applications that relied on both the event-stream and copay-dash modules.
Basically, the developer updated the module with malware and then patched the problem to avoid detection, but the numerous people who had already installed it remain affected.
Copay — whose open-source code is itself used by many crypto applications — would be just one of many that use the library, but it happens to be built and maintained by a multi-million dollar
Bitcoin payment processing company — BitPay — which raises questions on its own.
Does Dash (Evolution) have a reliance on that library event-stream or the copay-dash modules ? And is the copay-dash module related to Dash ?
Tagging : @UdjinM6
Link describing the problem on Copay github : https://github.com/bitpay/copay/issues/9346
So, for people who try to understand what the malicious payload is doing: it's basically crawling your dependencies for a peer dependency on the package copay-dash, and it's an attack basically crafted towards this package.
If your overall application has both this malicious package and "copay-dash", then it's going to try stealing the bitcoins stored in it.
Link to another article about this hack : https://arstechnica.com/information...y-used-open-source-software-to-steal-bitcoin/
Last edited: