An open-source code stored in a popular JavaScript library was poisoned by its latest administrator with a malicious code allowing an attacker to swipe Bitcoin from Bitpay and Copay wallets.
The attacker injected a malicious code, called Event-Stream, into a NodeJS package that is used by the Copay and BitPay apps enabling an attacker to steal a wallet’s private keys, a fact confirmed by Bitpay. Bitpay warned users to assume their private keys on affected wallets have been compromised, so any funds should be moved to new wallets immediately.
Hacker takes over JavaScript library, injects malware to steal Bitcoin