Breaking: Numerous Bitcoin Wallets May Have Been Compromised by Rogue Developer
https://www.ccn.com/breaking-numerous-bitcoin-wallets-may-have-been-compromised-by-rogue-developer/A user with very little coding activity on GitHub requested publishing rights to the event-stream library from its previous maintainer, Dominic Tarr, who said that he had not maintained the repository
in years and gave control to the new user, called right9ctrl.
The library event-stream is used in many Node.js applications. According to a complainant on GitHub, the new maintainer right9ctrl either pulled a sneaky move to inject malware or unknowingly had the
same effect as if he had, that effect being that it would leak private keys from applications that relied on both the event-stream and copay-dash modules.
Basically, the developer updated the module with malware and then patched the problem to avoid detection, but the numerous people who had already installed it remain affected.
Copay — whose open-source code is itself used by many crypto applications — would be just one of many that use the library, but it happens to be built and maintained by a multi-million dollar
Bitcoin payment processing company — BitPay — which raises questions on its own.