A Node.js module popular known as event-stream and is being used in many web applications globally is said to be compromised. Event-stream has found its use in several blockchain based payment solutions such as BitPay’s open-source bitcoin wallet — Copay. According to a recent report, social engineering, laziness, and incompetence are reportedly responsible for the compromising of this module.
How Event-Stream Got Compromised
According to the report, recently, a new user with minimal coding activity on the popular coding archive, GitHub, requested publishing rights to the event-stream library from its previous maintainer, Dominic Tarr. According to Tarr, he has not provided needed maintenance for Event-stream in years. He was also of the notion that the best thing to do is to give control to the new user. As a result, he gave the new user the control needed. The new user has been identified as “right9ctrl.”
According to a complainant on GitHub by one Ayrton Sparling, Right9ctrl has either “injected a malware into the module or unknowingly had the same effect as if he had”. The effect of his actions is that the module now leaks private keys from applications that relied on both the event-stream and copay-dashmodules.
Ayrton Sparling complained that:
“He added flatmap-stream which is entirely (1 commit to the repo but has 3 versions, the latest one removes the injection, unmaintained, created3 months ago) an injection targeting ps-tree. After he adds it at almost the exact same time the injection is added to flatmap-stream, he bumps the version and publishes. Literally, the second commit (3 days later) after that he removes the injection and bumps a major version so he can clear the repoof having flat map-stream but still have everyone (millions of weekly installs) using 3.x affected.”
Going by this, it clear that Right9ctrl has made some updates to the module which has as malware included. He was over able to do this carefully and without getting detected. As of now, those who have installed the module after the update are affected.
BitPay’s Copay Wallet is Compromised
One of the affected web applications is BitPay’s Copay wallet. Copay uses an open-source code currently being used by several crypto application.
The fact that BitPay is making use of Upstream libraries has so far raised questions. For a company that is entrusted to ensure a safe transaction and storage, the company should know better than this.