Add to favourites
News Local and Global in your language
11th of December 2018

Internet



Rogue Developer Uses Popular Open Source Project to Steal Bitcoins - ExtremeTech

This site may earn affiliate commissions from the links on this page. Terms of use.

Living the cryptocurrency life might give you more control over your money, but it also comes with much more risk than old-fashioned fiat money. Some Bitcoin users are learning this lesson the hard way after developers discovered malicious code in a widely used open source code library. The goal, it seems, was to siphon off funds from users of the Copay crypto wallet. The scale of the breach is still under investigation, but things aren’t looking good.

The attack focuses on the event-stream JavaScript library, which many companies and other open source projects use to handle Node.js streaming data. You don’t need to know the specifics of how that all works — all you need to know is this library was extremely popular with almost 2 million weekly downloads. This library has existed for years with no issue, but that changed several months ago.

According to a GitHub thread, the original developer, Dominic Tarr grew tired of maintaining a library he no longer used. Someone emerged from the shadows with an offer to take over the project, and Tarr provided access. It probably would have been smart for Tarr to vet the new developer, but hindsight is 20/20.

The new dev, known only as “right9ctrl,” got right to work adding a new module called flatmap-steam in October. That update didn’t actually contain anything malicious — the new directory was empty. Other projects unknowingly integrated the updated code into their software, giving right9ctrl the opening they needed to attack. Earlier this month, the flatmap-steam module was updated with malicious code that attempted to steal Bitcoin and Bitcoin Cash wallets. If it was successful, the module transferred the coins to a server in Malaysia.

This attack specifically targeted the Copay wallet app, which uses the event-stream library. When deployed in that app, the code activated to compromise the private keys. BitPay, which makes the Copay wallet app, says that versions 5.0.2 through 5.1.0. A new v5.2 build is rolling out to remove the malicious code. The company recommends that everyone using an old app upgrade as soon as possible. Since the keys for the old wallet are most likely at risk, BitPay suggests transferring all funds to a new wallet in v5.2.

Anyone who lost cryptocurrency in this attack is probably out of luck. There’s no way to track the perpetrator unless they were especially sloppy, and cryptocurrency isn’t protected by deposit insurance like traditional money in banks. If it gets stolen, it’s gone.

Now read: Great, Now Games Are Hijacking Systems With Cryptocurrency Miners, Nvidia Says GPU Sales for Crypto Mining Have Dried Up, and Mining Cryptocurrency Uses More Energy Than Actual Mining

Read More




Leave A Comment

More News

Latest ITProPortal news

ExtremeTech » Internet

TechRadar: Internet news

TechCrunch » Enterprise

Digital Trends

Disclaimer and Notice:WorldProNews.com is not the owner of these news or any information published on this site.