Rogue Developer Uses Popular Open Source Project to Steal Bitcoins

Rogue Developer Uses Popular Open Source Project to Steal Bitcoins

Living the cryptocurrency life might give you more control over your money, but it also comes with much more risk than old-fashioned fiat money. Some Bitcoin users are learning this lesson the hard way after developers discovered malicious code in a widely used open source code library. The goal, it seems, was to siphon off funds from users of the Copay crypto wallet. The scale of the breach is still under investigation, but things aren’t looking good.

The attack focuses on the event-stream JavaScript library, which many companies and other open source projects use to handle Node.js streaming data. You don’t need to know the specifics of how that all works — all you need to know is this library was extremely popular with almost 2 million weekly downloads. This library has existed for years with no issue, but that changed several months ago.

According to a GitHub thread, the original developer, Dominic Tarr grew tired of maintaining a library he no longer used. Someone emerged from the shadows with an offer to take over the project, and Tarr provided access. It probably would have been smart for Tarr to vet the new developer, but hindsight is 20/20.

The new dev, known only as “right9ctrl,” got right to work adding a new module called flatmap-steam in October. That update didn’t actually contain anything malicious — the new directory was empty. Other projects unknowingly integrated the updated code into their software, giving right9ctrl the opening they needed to attack. Earlier this month, the flatmap-steam module was updated with malicious code that attempted to steal Bitcoin and Bitcoin Cash wallets. If it was successful, the module transferred the coins to a server in Malaysia.

Rogue Developer Uses Popular Open Source Project to Steal Bitcoins

This attack specifically targeted the Copay wallet app, which uses the event-stream library. When deployed in that app, the code activated to compromise the private keys. BitPay, which makes the Copay wallet app, says that versions 5.0.2 through 5.1.0. A new v5.2 build is rolling out to remove the malicious code. The company recommends that everyone using an old app upgrade as soon as possible. Since the keys for the old wallet are most likely at risk, BitPay suggests transferring all funds to a new wallet in v5.2.

Anyone who lost cryptocurrency in this attack is probably out of luck. There’s no way to track the perpetrator unless they were especially sloppy, and cryptocurrency isn’t protected by deposit insurance like traditional money in banks. If it gets stolen, it’s gone.

Continue reading

CD Projekt Red Denies Any Plan to Offer Refunds for Cyberpunk 2077
CD Projekt Red Denies Any Plan to Offer Refunds for Cyberpunk 2077

Turns out, CD Projekt Red didn't actually mean for you to think you could get a refund for Cyberpunk 2077.

Breakthrough Listen Project Scans 60 Million Stars, Finds Zero Aliens
Breakthrough Listen Project Scans 60 Million Stars, Finds Zero Aliens

Scientists with the Breakthrough Listen project took up the mantle of the Search for Extraterrestrial Intelligence (SETI) several years ago, continuing the decades-long search for ET. The project has just released its largest survey to date, consisting of more than 60 million stars...and no aliens.

Far Beyond the Stars: Improving Motion, Image Quality in the DS9 Upscale Project
Far Beyond the Stars: Improving Motion, Image Quality in the DS9 Upscale Project

It's been nine months since Joel Hruska's last Star Trek: Deep Space Nine Upscale Project update. The new encode method he debuts here offers better motion and improved image quality relative to what was possible last year.

Deep Space Nine Project Update: Why MakeMKV-Derived Files Don’t Work
Deep Space Nine Project Update: Why MakeMKV-Derived Files Don’t Work

The question of why a MakeMKV source doesn't work has come up again and again, so we decided to investigate it.