Hacker backdoors widely used open-source software to steal Bitcoin

Malicious code that crept into event-stream JavaScript library went undetected for weeks.

(credit: Jeremy Brooks / Flickr)

A hacker or hackers sneaked a backdoor into a widely used open-source code library with the aim of surreptitiously stealing funds stored in bitcoin wallets, software developers said Monday.

The malicious code was inserted in two stages into event-stream, a code library with 2 million downloads that’s used by Fortune 500 companies and small startups alike. In stage one, version 3.3.6 published on September 8 included a benign module known as flat-stream. Stage two was implemented on October 5 when flat-steam was updated to include malicious code that attempted to steal Bitcoin wallets and transfer their balances to a server located in Kuala Lumpur. The backdoor came to light last Tuesday with this report from Github user Ayrton Sparling. Officials with the NPM, the open-source project manager that hosted event-stream, didn’t issue an advisory until Monday, six days later.

NPM officials said the malicious code was designed to target people using a Bitcoin wallet developed by Copay, a company that incorporated event-stream into its app. This release from earlier this month shows Copay updating its code to refer to flat-stream, but a Copay official said in a Github discussion that the malicious code was never deployed in any platforms.

Read 8 remaining paragraphs | Comments