Copay
Event-stream dependency compromised Copay wallet
The Copay Bitcoin wallet was pulled into the event-stream compromise through a malicious npm dependency. The injected code specifically recognized Copay workflows and attempted to steal wallet secrets, making a transitive JavaScript library the narrow blade against cryptocurrency users and their funds.
- Date
- 2018-09-09 to 2018-11-26
- Category
- Commercial
- Target Surface
- Distribution
- Insertion Phase
- dependency
- Impact
- Cryptocurrency theft
- Cause
- Compromised dependency
What Was Affected
Package
Copay
LanguageJavaScript
ComponentApplication
Artifact typebinary archive
Domain typeproject download host
Domain
copay.io
Repository
github.com/bitpay/copay
Compromised Versions
- 5.0.2
- 5.1.0
Incident Context
- Motive
- Financial gain
- Attribution
- Individual Hacker
- Transitive
- Yes
- User Impact
- 1000000
- Observed Duration
- 78 days
Evidence
Compromised Artifacts
- pkg:npm/event-stream@3.3.6
- pkg:npm/flatmap-stream@0.1.1
- registry.npmjs.org/event-stream/-/event-stream-3.3.6.tgz
- registry.npmjs.org/flatmap-stream/-/flatmap-stream-0.1.1.tgz
- github.com/bitpay/copay/releases/tag/v5.0.2
- github.com/bitpay/copay/releases/tag/v5.1.0
Current Artifacts and Analysis
Indicators and Changes
Hashes
sha256:005a6cfb72127d0007798d72700e28df0b5280b9f7e56f355de65a8f9107026e
Commits
External References
Source Data
Source record: proprietary/copay/meta.yaml