Hacker places malware in popular JavaScript library

Get a free Techzine subscription!

A hacker has managed to place code in a popular JavaScript library that steals bitcoin. This is a library that many companies use. The impact could therefore potentially be very large, although there is still some uncertainty about this.

The hack included placing code in Event-Stream, a JavaScript npm package, which makes it possible to work with Node.js streaming data on GitHub. The purpose of the code is to intercept bitcoin payments, which run through the BitPay open-source bitcoin wallet Copay. That’s what the Ars Technica site reports today.

Toolkit with malware

Event-Stream is a toolkit designed to make it easy to set up streams and was developed by Dominic Tarr. He stopped at some point, although the open-source software was very popular. Three months ago, Tarr transferred the management rights to Event-Stream to someone called Right9ctrl, and at that time the code was infected.

On 9 September, version 3.3.6 of the software was published. It contained an unnecessary module called flatmap-stream. That seems to have been a test to find out if anyone would notice if there was a new module in the software. On 5 October, the flatmap module was then changed to malware. He tried to steal bitcoin wallets and transfer their balance to a server in Kuala Lumpur.

Open source risks

On November 20, developers discovered the malware. Then someone placed questions on GitHub about the new module and especially its functionality. That way, it was discovered that there was malware in the Event-Stream software.

The presence of malware in open-source software will strengthen security experts’ warnings about the use of open-source software in large projects. GitHub has had to deal with problems like this before. This is partly because there are few control mechanisms when people want to transfer their projects.

This news article was automatically translated from Dutch to give Techzine.eu a head start. All news articles after September 1, 2019 are written in native English and NOT translated. All our background stories are written in native English as well. For more information read our launch article.