Rogue Developer Uses Popular Open Source Project to Steal Bitcoins

Rogue Developer Uses Popular Open Source Project to Steal Bitcoins

Living the cryptocurrency life might give you more control over your money, but it also comes with much more risk than old-fashioned fiat money. Some Bitcoin users are learning this lesson the hard way after developers discovered malicious code in a widely used open source code library. The goal, it seems, was to siphon off funds from users of the Copay crypto wallet. The scale of the breach is still under investigation, but things aren’t looking good.

The attack focuses on the event-stream JavaScript library, which many companies and other open source projects use to handle Node.js streaming data. You don’t need to know the specifics of how that all works — all you need to know is this library was extremely popular with almost 2 million weekly downloads. This library has existed for years with no issue, but that changed several months ago.

According to a GitHub thread, the original developer, Dominic Tarr grew tired of maintaining a library he no longer used. Someone emerged from the shadows with an offer to take over the project, and Tarr provided access. It probably would have been smart for Tarr to vet the new developer, but hindsight is 20/20.

The new dev, known only as “right9ctrl,” got right to work adding a new module called flatmap-steam in October. That update didn’t actually contain anything malicious — the new directory was empty. Other projects unknowingly integrated the updated code into their software, giving right9ctrl the opening they needed to attack. Earlier this month, the flatmap-steam module was updated with malicious code that attempted to steal Bitcoin and Bitcoin Cash wallets. If it was successful, the module transferred the coins to a server in Malaysia.

Rogue Developer Uses Popular Open Source Project to Steal Bitcoins

This attack specifically targeted the Copay wallet app, which uses the event-stream library. When deployed in that app, the code activated to compromise the private keys. BitPay, which makes the Copay wallet app, says that versions 5.0.2 through 5.1.0. A new v5.2 build is rolling out to remove the malicious code. The company recommends that everyone using an old app upgrade as soon as possible. Since the keys for the old wallet are most likely at risk, BitPay suggests transferring all funds to a new wallet in v5.2.

Anyone who lost cryptocurrency in this attack is probably out of luck. There’s no way to track the perpetrator unless they were especially sloppy, and cryptocurrency isn’t protected by deposit insurance like traditional money in banks. If it gets stolen, it’s gone.

Continue reading

AMD Buys FPGA developer Xilinx in $35 Billion Deal
AMD Buys FPGA developer Xilinx in $35 Billion Deal

The deal, which we discussed earlier this month, will give AMD access to new markets that it hasn't previously played in, including FPGAs and artificial intelligence.

VIA Technologies, Zhaoxin Strengthen x86 CPU Development Ties
VIA Technologies, Zhaoxin Strengthen x86 CPU Development Ties

VIA and Zhaoxin are deepening their strategic partnership with additional IP transfers, intended to accelerate long-term product development.

Scientists Develop Nasal Spray That Can Disable Coronavirus
Scientists Develop Nasal Spray That Can Disable Coronavirus

In a newly released study, the concoction was effective at deactivating the novel coronavirus before it could infect cells.

Apple Cuts Fees in Half for App Store Developers Earning Less Than $1 Million
Apple Cuts Fees in Half for App Store Developers Earning Less Than $1 Million

Going forward, Apple's customary 30 percent cut of sales on the iOS platform will drop to just 15 percent for smaller developers. Epic, however, claims this is just an attempt to split the developer community.