About the security issue

The malicious code injected into the popular stream library event-stream targeted specific users of copay service. It would check the account balance of copay users (who have the event stream package downloaded into their codebase), and if the balance was greater than 100 bitcoin, or 1000 Bitcoin cash, it would then collect the victim's copay private keys, account data and send it some collection.

Use of event-stream library

Event Stream is a helper library for using streams in Nodejs. It has more than 1 million downloads a week. Streams allow you to stream your data in chunks. For example, normally if you want to send the contents of the file to the client, then you would read out the entire file contents, put that in memory, and then send it in response. In the stream way of doing things, you will read out a small chunk, and pipe it to response. As the complete file is not loaded in memory, the memory consumed throughout the process is less.

How did the hack happen?

Event stream library was written and maintained by @dominictarr until 2017. He then gave the repo access to someone called right9ctrl. The profile has been deleted in GitHub for now. But you can access the archive version of GitHub profile here. There are not many projects under right9ctrlprofile. The contributions to event-stream repository include

  • Upgrading the dependencies of event-stream to latest versions
  • Then adding some examples for map and split use
  • Removing trailing spaces in the split example, then updating readme
  • Updating readme file (removing the travis ci link which shows the status of ci and tests in project)
  • Changed the example of using event stream library.
  • Released 3.3.5 node version
  • [Here it starts] Then added a package called flatmap-stream. The flatmap-stream package had the malicious code
  • Release 3.3.6 version of event-stream library.

This is how the event-stream library got the malicious code.

Here are the screenshots of the flatmap code added to the event stream repository.

index.js file
package.json file
flatmap test file

Response to security issue

Bitpay recommended people no to use copay versions 5.0.2 to 5.1.0 which was affected.

NPM released a security advisory regarding the flatmap-stream package. It removed the flatmap-stream package from npm and also the version 3.3.6 of event-stream. Now you cannot specifically download the 3.3.6 version of event-stream. The [flatmap-stream] package is now held by npm and stock content is put in there.

@dominictarr did some fixes and made the package as read-only, indicating that it is not actively developed.

Microsoft recommended people to stay on the version 3.3.4 of event stream. It blocked downloading the flatmap-steam package and 3.3.6 version of event-stream in Azure devOps.

Microsoft visual studio code released a list of extensions for VS Code that are affected by this. They scanned the extensions in the VS Code Marketplace, and automatically uninstalled those extensions from the users' VS Code editor. Also these extensions have been removed from marketplace as well.