On Nov. 26, BitPay announced that a rogue developer had compromised their Copay wallets. According to the U.S based bitcoin payment processor, it learned of the issue from a Copay GitHub report.
This was after a user who seemed to have very little coding activity on GitHub was given publishing rights to the event-stream library. He then proceeded to load malicious code.
The Malware Can Lead To Capture Of Private Keys
The malware was deployed on Copay and BitPay wallet apps from version 5.0.2 to 5.1.0. According to the report, the malicious code had the potential to capture private keys and steal BTC and BCH.
However, BitPay noted that platform’s app was not vulnerable to the malware. But, they were still investigating whether the code vulnerability had been exploited against Copay Users.
Now the company is asking users to avoid running or opening the Copay wallet if they happen to be using the infected versions. Also, they have gone ahead and released an updated version (5.2.0) which doesn’t contain the malicious code for all BitPay and Copay wallet users. The new version will be available in app stores “momentarily.”
BitPay insisted:
“Users should assume that private keys on affected wallets may have been compromised, so they should move funds to new wallets (v5.2.0) immediately.”
The company has also advised users not to move any funds to the new wallets by importing their 12-word backup phrases. The reason being they correspond with “potentially compromised private keys.”
“Users should first update their affected wallets (5.0.2-5.1.0) and then send all funds from affected wallets to a brand new wallet on version 5.2.0, using the Send Max feature to initiate transactions of all funds.”
The issue came to the attention of the public after a complaint was made on Github by Ayrton Sparling.
It turns out the incident occurred after a user with little coding activity on GitHub going by the name right9ctrl obtained publishing rights to the event-stream library from Dominic Tarr, the previous maintainer.
Tarr claimed he hadn’t maintained the repository for years and this was the reason he chose to give control to the new user.