Copay and other wallets potentially compromised with dodgy node.js module

[gentlemand]

https://www.ccn.com/breaking-numerous-bitcoin-wallets-may-have-been-compromised-by-rogue-developer/

https://github.com/bitpay/copay/issues/9346

Not so wonderful for users and revealed at a deeply unsexy time for the wellbeing of the crypto market. I use Copay for the various Bcashes only myself so I won't exactly be devastated if it does a runner. Still, keep an eye out for fixes or tips if you're exposed to this.

[TryNinja]

I don't use Copay, but this is worrying. Mostly because of this part:

This is one of the major issues with JavaScript-based cryptocurrency wallets with heavy up-stream dependencies coming from NPM. @BitPay essentially trusted all the up-stream developers to never inject malicious code into their wallet.@dominictarr also let the attacker in, sadly

From: https://twitter.com/ummjackson/status/1067132600739721216

You do know how many products and services do this? This is a much bigger issue than just BitPay.

From: https://twitter.com/brianchoffman/status/1067141337772888070

I already knew how dangerous can be running tons of third-party NPM packages because of this super interesting article I read a few months ago: I’m harvesting credit card numbers and passwords from your site. Here’s how.

[HI-TEC99]

You do know how many products and services do this? This is a much bigger issue than just BitPay.

Is there a list of all wallets affected by this yet?

[o_e_l_e_o]

https://github.com/bitpay/copay/issues/9346#issuecomment-441827353

https://blog.bitpay.com/npm-package-vulnerability-copay/

Users should assume that private keys on affected wallets may have been compromised, so they should move funds to new wallets (v5.2.0) immediately.

So Copay wallets from 5.0.2 through to 5.1.0 are vulnerable. BitPay apps are not vulnerable, apparently. If you are running one of these version of the Copay app, you should not open the app. Advice is instead to update to 5.2.0, and then use "Send Max" to transfer all your funds to a new wallet. You should not restore your wallet from your mnemonic seed, as that seed is linked to potentially compromised private keys.

It is currently unclear whether this affects other wallets forked from Copay (such a Copay Dash), or any other wallets in general.

[HeRetiK]

Holy shit so that was the mystery payload of the event-stream backdoor! :O

Here's the GitHub discussion for anyone interested; when the backdoor was first found its intention was not yet clear:
https://github.com/dominictarr/event-stream/issues/116

Despite the severity of the issue, I don't fully agree with the article's condemnation of BitPay's practices. I also don't think that event-stream's original maintainer deserves all the flak he got.

However it goes to show how shaky modern JavaScript development is from a security perspective. Event-stream is an extremely popular npm package and as such is rather trusted and used in a lot of other applications. As such it could have hit any other Node.js based wallet as well. This is a problem with modern JavaScript development in general, rather than with BitPay specificially.