BitPay’s Copay Wallet Compromised by Malicious Code, Firm Issues Advice for Users

Crypto payment processor BitPay issued advice on its official blog yesterday, Nov. 26, for users of its open-source Bitcoin (BTC) wallet Copay, which has reportedly been compromised by malicious code.

The vulnerability pertains to a third-party Node.js module, also known as an “event stream,” which is used in versions 5.0.2 through 5.1.0 of BitPay’s Copay and BitPay apps. According to a GitHub issue report, this module was modified to load malware that is capable of stealing users’ private keys.

BitPay’s post states that the BitPay app was not vulnerable to the malicious code, but that its team is investigating whether the vulnerability had been exploited against any CoPay users.

In the meantime, the company has outlined advice for its users, stating that anyone using Copay version from 5.0.2 to 5.1.0, “should not run or open the app.” The company has released a security update in version (5.2.0), which is due for imminent release on app stores.

The company also warns that users of affected versions “should assume” their private keys may have been compromised, and therefore move any holdings to new, secure v5.2.0 wallets “immediately”:

“Users should not attempt to move funds to new wallets by importing affected wallets’ twelve word backup phrases (which correspond to potentially compromised private keys). Users should first update their affected wallets (5.0.2-5.1.0) and then send all funds from affected wallets to a brand new wallet on version 5.2.0, using the Send Max feature to initiate transactions of all funds.”

According to the GitHub issue report, a little-known user called right9ctrl requested and was granted publishing rights to the event-stream library (which is used in the Node.js module on the Copay app) from its previous maintainer, Dominic Tarr, who conceded he was no longer maintaining the repository and did not suspect the new user of malintent.

In response to the news, Dogecoin creator Jackson Palmer yesterday tweeted his concern that “this is one of the major issues with JavaScript-based cryptocurrency wallets with heavy up-stream dependencies coming from NPM [Node.js package manager]. @BitPay essentially trusted all the up-stream developers to never inject malicious code into their wallet” – nor to “let [an] attacker in” inadvertently.

Earlier this fall, Bitcoin Core released an update following the detection of a vulnerability in its software, a bug which the co-owner of Bitcoin.org described as “very scary,” with the potential to have “crashed a huge chunk of the Bitcoin network if exploited by any rogue miners.”