The library in question is Event-Stream, which is incredibly popular and records over two million downloads every week. Its original author handed control of the library over to another programmer several months ago, citing lack of time to overlook the software. It’s suspected that this new programmer imemediately inserted the malicious code.
The affected library is said to be used by Fortune 500 companies, start ups and individuals, making the potential damage widespread. However, the code only comes into play when it is used inside Copay, which is a wallet app by Bitcoin payment platform BitPay. Copay versions 5.0.1 to 5.1.0 are said to be affected.
When Copay is used, the malicious code (which resides in the source code) will steal all the wallet information, including private keys and data, and will send this to a particular URL. The hacker responsible for the malicious code is then using this data to empty user wallets of Bitcoin.
In a blog post, the Copay team said:
Our team is continuing to investigate this issue and the extent of the vulnerability. In the meantime, if you are using any Copay version from 5.0.2 to 5.1.0, you should not run or open the app. A security update version (5.2.0) has been released and will be available for all Copay and BitPay wallet users in the app stores momentarily.
Users should assume that private keys on affected wallets may have been compromised, so they should move funds to new wallets (v5.2.0) immediately. Users should not attempt to move funds to new wallets by importing affected wallets’ twelve word backup phrases (which correspond to potentially compromised private keys). Users should first update their affected wallets (5.0.2-5.1.0) and then send all funds from affected wallets to a brand new wallet on version 5.2.0, using the Send Max feature to initiate transactions of all funds.
Copay is advising all users to update to Copay versions 5.2.0 or later immediately.