Proprietary 2018-09-09 · 78 days ·Cryptocurrency Theft

Copay wallet targeted private keys

Copay builds included the malicious event-stream dependency chain. The payload was tuned to steal wallet private keys from affected 5.0.2 through 5.1.0 releases.

Story

Copay was the target hidden inside the event-stream compromise. The attacker did not need to publish a fake wallet. They took over an upstream npm maintainer path, added flatmap-stream to event-stream, and waited for Copay's build chain to carry the payload into wallet releases.

The malicious code was selective. It stayed buried in an obfuscated npm dependency and decrypted only in the Copay context. BitPay later said versions 5.0.2 through 5.1.0 of the Copay and BitPay apps contained the malicious dependency chain, but the BitPay wallet was not vulnerable to execution.

The payload tried to capture private keys and send them to attacker-controlled infrastructure. That made the downstream impact different from the broad npm ecosystem impact: most event-stream consumers carried malicious code, but Copay users carried the value the attacker wanted.

BitPay fixed Copay in 5.2.0, told users not to open affected apps, and advised moving funds to a new wallet created with the clean version rather than reusing twelve-word backup phrases from potentially compromised wallets. Later 5.3.1 work locked dependency updates and restricted wallet network connections.

Affected Artifacts

copay

desktop wallet · copay.io · repository · Binary Archive

Observed: 2018-09-09 to 2018-11-26
Compromised Versions: 5.0.2 - 5.1.0
Fixed: 5.2.0, 5.3.1
Evidence: distribution: github.com/bitpay/copay/releases/tag/v5.0.2, distribution: github.com/bitpay/copay/releases/tag/v5.1.0, mirror: github.com/dominictarr/event-stream/issues/116, mirror: gist.github.com/thejoshwolfe/38f4c4a98208300ab903f81f0a5004d9 , +12 more

The upstream compromised artifacts are modeled in the OSS event-stream record; this record captures the downstream Copay wallet releases and user impact.
BitPay said Copay versions 5.0.2 through 5.1.0 were vulnerable and fixed Copay in 5.2.0.
BitPay's exposed customer count is not known; users is left as 0 for unknown rather than treating app downloads as confirmed victims.
The malicious npm packages were delivered through npm, but Copay users received risk through official Copay builds.
Previous local data listed a SHA-256 for this artifact without a named Copay file; it was removed rather than retained as an ambiguous hash.

Incident Context

Motive: Financial Gain
Attribution: Person
Cause: Compromised Dependency
Transitive: Yes
Actor: Individual Hacker

External References

How BitPay is Securing the Copay and BitPay Wallets: NPM and Networking Security Updates for v5.3.1bitpay.com
I don't know what to saygithub.com
Hacker backdoors popular JavaScript library to steal Bitcoin fundszdnet.com
Details about the event-stream incidentblog.npmjs.org

Source record: proprietary/copay/meta.yaml