Malicious developer distributed tainted version of Event-Stream NodeJS Module to steal Bitcoins

Hacker compromised third-party NodeJS module “Event-Stream” introducing a malicious code aimed at stealing funds in Bitcoin wallet apps.

The malicious code was introduced in the version 3.3.6, published on September 9 via the  Node Package Manager (NPM) repository.

The Event-Stream library is a very popular NodeJS module used to allow developers the management of data streams, it has nearly 2 million downloads a week.

It has been estimated that the tainted version of the library was downloaded by nearly 8 million developers.

The library was created by Dominic Tarr, who maintained it for a long time, but when he left the project allowed an unknown programmer, called “right9ctrl” to continue its work.

“he emailed me and said he wanted to maintain the module, so I gave it to him. I don’t get any thingfrom maintaining this module, and I don’t even use it anymore, and havn’tfor years.” wrote Tarr.

Tarr trusted right9ctrl  because of his important contributions to the project, but the expert once gained the access to the library, released a new version released Event-Stream version 3.3.6, containing a new library, called Flatmap-Stream, as a dependency, which was specifically designed to implement the malicious feature.

The bad news is that the code remained undetected for more than 2 months because it was encrypted. The malicious code spotted by a computer science student at California State University, Ayrton Sparling (FallingSnow handle on gitHub), who reported it.

“If you are using anything crypto-currency related, then maybe. As discovered by @maths22, the target seems to have been identified as copay related libraries. It only executes successfully when a matching package is in use (assumed to be copay at this point).” reported Sparling  on GitHub

“If you are using a crypto-currency related library and if you see flatmap-stream@0.1.1 after running npmls event-stream flatmap-stream, you are most likely affected.

For example:

$ npmls event-stream flatmap-stream


The manager of the NPM repository who analyzed the malicious code discovered that it was designed to target people using the open-source bitcoin wallet app BitPay, distribution of the Copay project, that leverages the event-stream.

A security advisory published by BitPay confirms that Copay versions 5.0.2 through 5.1.0 were affected by the malicious code, the organization released the Copay version 5.2.0 to address the issue.

“We have learned from a Copay GitHub issue report that a third-party NodeJS package used by the Copay and BitPay apps had been modified to load malicious code which could be used to capture users’ private keys. Currentlywe have only confirmed that the malicious code was deployed on versions 5.0.2 through 5.1.0 of our Copay and BitPay apps. However, the BitPay app was not vulnerable to the malicious code. We are still investigating whether this code vulnerability was ever exploited against Copay users.” BitPay says in the advisory.

“Users should assume that private keys on affected wallets may have been compromised, so they should move funds to new wallets (v5.2.0) immediately. Usersshould not attempt to move funds to new wallets by importing affected wallets’ twelve wordbackup phrases (which correspond to potentially compromised private keys). Users should first update their affected wallets (5.0.2-5.1.0) and then send all funds from affected wallets to a brand new wallet on version 5.2.0, using the Send Max feature to initiate transactions of all funds.”

The malicious code allows the attackers to steal digital coins stored in the Dash Copay Bitcoin wallets and transfer them to a server located in Kuala Lumpur, Malaysia.

On Monday, NPM maintainers removed the backdoor from the repository.

Pierluigi Paganini

FAIR USE NOTICE: Under the "fair use" act, another author may make limited use of the original author's work without asking permission. Pursuant to 17 U.S. Code § 107, certain uses of copyrighted material "for purposes such as criticism, comment, news reporting, teaching (including multiple copies for classroom use), scholarship, or research, is not an infringement of copyright." As a matter of policy, fair use is based on the belief that the public is entitled to freely use portions of copyrighted materials for purposes of commentary and criticism. The fair use privilege is perhaps the most significant limitation on a copyright owner's exclusive rights. Cyber Defense Media Group is a news reporting company, reporting cyber news, events, information and much more at no charge at our website Cyber Defense Magazine. All images and reporting are done exclusively under the Fair Use of the US copyright act.

Global InfoSec Awards 2022

We are in our 10th year, and these awards are incredibly well received – helping build buzz, customer awareness, sales and marketing growth opportunities, investment opportunities and so much more.


10th Anniversary Exclusive Top 100 CISO Conference & Innovators Showcase