Multiple tech news sites have reported that
GitHub user right9ctrl injected the malicious code in a package called
flatmap-stream after offering to help maintain the library, according to a post on the Snyk security blog. Handing off control to other users happens frequently in open source communities, as the original authors and maintainers move on to other projects. Adding libraries as dependencies is also common in open source, although the
event-stream npm package hadn't been substantially updated for about two years prior to September 2018, when
flatmap-stream was first added. According to Ars Technica, the next phase took place on October 5, when malicious code was implemented to transfer the balances of Copay wallets to a server in Kuala Lumpur.
Copay published a blog post on Monday warning users of versions 5.0.2 through 5.1.0 not to open the app until they had installed version 5.2.0, which includes a security update to protect against the npm package vulnerability.
ZDNet reports that the malicious
event-stream version 3.3.6 has been taken down from npmjs.com repository, and also advised project maintainers to update their dependency trees to the latest version available, 4.0.1.
In early January, David Gilbertson wrote a post on Hackernoon theorizing how a similar situation might unfold: "I'm Harvesting Credit Card Numbers and Passwords From Your Site. Here's How."
Open-source security vulnerabilities that target end users are becoming more common. The volunteer-run nature of the libraries, combined with their extreme popularity, creates opportunities for hackers to implement malicious updates under the radar.
Last month, Ars Technica reported on two such attacks. VestaCP servers were compromised to allow end users to download a malicious installer. Also, "Colourama," a doppelganger of the popular Colorama package in the PyPI repository, was found to be monitoring users' clipboards for signs they were about to make a cryptocurrency payment. Any transfers were diverted directly into the wallet of an attacker.