Holy shit so
that was the mystery payload of the event-stream backdoor! :O
Here's the GitHub discussion for anyone interested; when the backdoor was first found its intention was not yet clear:
https://github.com/dominictarr/event-stream/issues/116Despite the severity of the issue, I don't fully agree with the article's condemnation of BitPay's practices. I also don't think that event-stream's original maintainer deserves all the flak he got.
However it goes to show how shaky modern JavaScript development is from a security perspective. Event-stream is an extremely popular npm package and as such is rather trusted and used in
a lot of other applications. As such it could have hit any other Node.js based wallet as well. This is a problem with modern JavaScript development in general, rather than with BitPay specificially.