Rogue Developer Uses Popular Open Source Project to Steal Bitcoins

Rogue Developer Uses Popular Open Source Project to Steal Bitcoins

Living the cryptocurrency life might give you more control over your money, but it also comes with much more risk than old-fashioned fiat money. Some Bitcoin users are learning this lesson the hard way after developers discovered malicious code in a widely used open source code library. The goal, it seems, was to siphon off funds from users of the Copay crypto wallet. The scale of the breach is still under investigation, but things aren’t looking good.

The attack focuses on the event-stream JavaScript library, which many companies and other open source projects use to handle Node.js streaming data. You don’t need to know the specifics of how that all works — all you need to know is this library was extremely popular with almost 2 million weekly downloads. This library has existed for years with no issue, but that changed several months ago.

According to a GitHub thread, the original developer, Dominic Tarr grew tired of maintaining a library he no longer used. Someone emerged from the shadows with an offer to take over the project, and Tarr provided access. It probably would have been smart for Tarr to vet the new developer, but hindsight is 20/20.

The new dev, known only as “right9ctrl,” got right to work adding a new module called flatmap-steam in October. That update didn’t actually contain anything malicious — the new directory was empty. Other projects unknowingly integrated the updated code into their software, giving right9ctrl the opening they needed to attack. Earlier this month, the flatmap-steam module was updated with malicious code that attempted to steal Bitcoin and Bitcoin Cash wallets. If it was successful, the module transferred the coins to a server in Malaysia.

Rogue Developer Uses Popular Open Source Project to Steal Bitcoins

This attack specifically targeted the Copay wallet app, which uses the event-stream library. When deployed in that app, the code activated to compromise the private keys. BitPay, which makes the Copay wallet app, says that versions 5.0.2 through 5.1.0. A new v5.2 build is rolling out to remove the malicious code. The company recommends that everyone using an old app upgrade as soon as possible. Since the keys for the old wallet are most likely at risk, BitPay suggests transferring all funds to a new wallet in v5.2.

Anyone who lost cryptocurrency in this attack is probably out of luck. There’s no way to track the perpetrator unless they were especially sloppy, and cryptocurrency isn’t protected by deposit insurance like traditional money in banks. If it gets stolen, it’s gone.

Continue reading

Astronomers Spot Earth-Sized Rogue Planet Wandering the Galaxy
Astronomers Spot Earth-Sized Rogue Planet Wandering the Galaxy

Astronomers have identified more than 4,000 exoplanets orbiting other stars but just a few "rogue planets" wandering the galaxy without a star to call home. A new study claims to have spotted one of these worlds, and it may be a small, rocky world like Earth.

Google Told Stadia Developers They Were Making ‘Great Progress,’ Then Fired Them
Google Told Stadia Developers They Were Making ‘Great Progress,’ Then Fired Them

Google told its Stadia developers they were making "great progress." Then it fired them, less than a week later.

Pentagon May Dump $10 Billion JEDI Program Over Microsoft, Amazon Fight
Pentagon May Dump $10 Billion JEDI Program Over Microsoft, Amazon Fight

The government is so tired of fighting with Amazon over the $10 billion JEDI cloud contract that went to Microsoft, it'd rather just quit than move forward with litigation.

iFixit: Samsung ‘Ruined’ Its Smartphone Upcycling Program
iFixit: Samsung ‘Ruined’ Its Smartphone Upcycling Program

Samsung just dipped its toe in the waters of upcycling, but iFixit says Samsung lost its nerve, and that the original version of Galaxy Upcycling was going to be much more ambitious and useful.