A bad link in the cryptochain

[harlan4096]

Pretty much every developer uses some third-party libraries — with millions of developers sharing their creations with the world, leveraging existing modules to help solve your tasks is a smart use of time. But using somebody else’s code means trusting the developers of that code. BitPay, developers of the Copay cryptowallet, recently ran up against the shortcomings of using open-source third-party assets.

Copay is basically a multiplatform Bitcoin/Bitcoin Cash cryptocurrency wallet that allows users to create shared wallets. Copay is developed using JavaScript, and it relies on a lot of third-party open-source libraries.

One of those is an open-source Node.js module called [i]event-stream[/i]. Its repository on the version control service GitHub was maintained by a developer who had lost interest in the project long ago and hadn’t really taken part in the repository’s fate in several years. So, when some other developer with little to no previous activity on GitHub approached him and asked whether he could have the admin rights to maintain the repository, the original developer gave that person access rights.

The new developer got right to work. First, the event stream library began using a module called flatmap-stream from the GitHub repository of the same developer. Then actor modified the module, adding some malicious code. Three days after the update, the said developer uploaded yet another version of [i]flatmap-stream[/i], this one with no malicious code — probably to hide the malicious activities.

Full reading: https://www.kaspersky.com/blog/copay-sup...ack/24786/