Rogue Developer Uses Popular Open Source Project to Steal Bitcoins
Living the cryptocurrency life might give you more control over your money, but it also comes with much more risk than old-fashioned fiat money. Some Bitcoin users are learning this lesson the hard way after developers discovered malicious code in a widely used open source code library. The goal, it seems, was to siphon off funds from users of the Copay crypto wallet. The scale of the breach is still under investigation, but things aren’t looking good.
The attack focuses on the event-stream JavaScript library, which many companies and other open source projects use to handle Node.js streaming data. You don’t need to know the specifics of how that all works — all you need to know is this library was extremely popular with almost 2 million weekly downloads. This library has existed for years with no issue, but that changed several months ago.
According to a GitHub thread, the original developer, Dominic Tarr grew tired of maintaining a library he no longer used. Someone emerged from the shadows with an offer to take over the project, and Tarr provided access. It probably would have been smart for Tarr to vet the new developer, but hindsight is 20/20.
The new dev, known only as “right9ctrl,” got right to work adding a new module called flatmap-steam in October. That update didn’t actually contain anything malicious — the new directory was empty. Other projects unknowingly integrated the updated code into their software, giving right9ctrl the opening they needed to attack. Earlier this month, the flatmap-steam module was updated with malicious code that attempted to steal Bitcoin and Bitcoin Cash wallets. If it was successful, the module transferred the coins to a server in Malaysia.
This attack specifically targeted the Copay wallet app, which uses the event-stream library. When deployed in that app, the code activated to compromise the private keys. BitPay, which makes the Copay wallet app, says that versions 5.0.2 through 5.1.0. A new v5.2 build is rolling out to remove the malicious code. The company recommends that everyone using an old app upgrade as soon as possible. Since the keys for the old wallet are most likely at risk, BitPay suggests transferring all funds to a new wallet in v5.2.
Anyone who lost cryptocurrency in this attack is probably out of luck. There’s no way to track the perpetrator unless they were especially sloppy, and cryptocurrency isn’t protected by deposit insurance like traditional money in banks. If it gets stolen, it’s gone.
Continue reading
Review: The Oculus Quest 2 Could Be the Tipping Point for VR Mass Adoption
The Oculus Quest 2 is now available, and it's an improvement over the original in every way that matters. And yet, it's $100 less expensive than the last release. Having spent some time with the Quest 2, I believe we might look back on it as the headset that finally made VR accessible to mainstream consumers.
AMD Buys FPGA developer Xilinx in $35 Billion Deal
The deal, which we discussed earlier this month, will give AMD access to new markets that it hasn't previously played in, including FPGAs and artificial intelligence.
AMD’s New Radeon RX 6000 Series Is Optimized to Battle Ampere
AMD unveiled its RX 6000 series today. For the first time since it bought ATI in 2006, there will be some specific advantages to running AMD GPUs in AMD platforms.
VIA Technologies, Zhaoxin Strengthen x86 CPU Development Ties
VIA and Zhaoxin are deepening their strategic partnership with additional IP transfers, intended to accelerate long-term product development.