Bitcoin payment processing company BitPay has announced that its Copay Wallet has been compromised by a hacker.
NodeJS package modified to load malicious code
In its announcement on Monday BitPay stated that it was made aware of a third-party NodeJS package used by the Copay and BitPay apps which had been altered to load malicious code. The malicious code loaded on the wallet could be used in retrieving the private keys of users.
The payment processing company further added that the code was only deployed on versions 5.0.2 through 5.1.0 of the Copay and Bitpay apps, with the Bitpay app not affected by this malicious code.
By stealing the private keys of users, the hacker would be able to steal Bitcoin and Bitcoin Cash stored in the wallets of the users. Bitpay assured its customers that they are still investigating the issue, stating that “Our team is continuing to investigate this issue and the extent of the vulnerability. In the meantime, if you are using any Copay version from 5.0.2 to 5.1.0, you should not run or open the app. A security update version (5.2.0) has been released and will be available for all Copay and BitPay wallet users in the app stores momentarily.”
Bitpay added that their development team assumes that the private keys on affected wallets may have been compromised, thus users have been advised to move their funds to new wallets (v5.2.0) immediately.
To ensure the safety of their funds, Bitpay advised its users not to move their funds to new wallets by importing their 12-word backup phrases. This move could potentially compromise the private keys of the user, Bitpay added.
It is recommended that users should update any affected wallet before transferring the funds from those wallets to the new and updated wallets. Bitpay recommends the Send Max feature to be used in transferring the funds.
A developer orchestrated the attack
According to reports, the malicious attack was orchestrated by a developer only known as Right9ctrl. The developer was allowed to control the maintenance of the NodeJS library from the original author who was unable to work on it. The attack took place roughly three months after the attacker was given permission to access the repository, after which he injected the malware.
Jackson Palmer who is known for creating the cryptocurrency Dogecoin while responding to this latest development tweeted that:
The payment processing firm has been advised not to solely trust upstream developers and endeavor to hire Bitcoin core developers. This would enable them to achieve in development and also avoid the injection of malicious codes into their software.
— Jackson Palmer (@ummjackson) November 26, 2018