An open-source code stored in a popular JavaScript library was poisoned by its latest administrator with a malicious code allowing an attacker to swipe Bitcoin from Bitpay and Copay wallets.
The attacker injected a malicious code, called Event-Stream, into a NodeJS package that is used by the Copay and BitPay apps enabling an attacker to steal a wallet’s private keys, a fact confirmed by Bitpay. Bitpay warned users to assume their private keys on affected wallets have been compromised, so any funds should be moved to new wallets immediately.
https://www.scmagazine.com/home/security-news/hacker-takes-over-javascript-library-injects-malware-to-steal-bitcoin/