BitPay wallets compromised by rogue developer

posted 5 months ago
A Node.js module called event-stream is used in millions of web applications, including BitPay’s open-source bitcoin wallet — Copay — and this module was reportedly compromised thanks to what can objectively referred to as social engineering, laziness, and incompetence. A user with very little coding activity on GitHub received publishing rights to the library and injected malware. The library is used in many Node.js applications. It would leak private keys from applications that relied on both the event-stream and copay-dash modules.

Copay — whose open-source code is itself used by many crypto applications — would be just one of many that use the library, but it happens to be built and maintained by a multi-million dollar Bitcoin payment processing company — BitPay. The malware targeted copay-dash, a Bitcoin wallet, and steals the wallet files and thus Bitcoin. Notably, this is a bigger issue than just BitPay. Also, surprisingly, BitPay uses software on a trust basis. Millions upon millions of dollars in client wallets are being entrusted to them. As many industry stakeholders have alleged, Bitpay demonstrated incompetence.
Tags: bitcoin, news