Malicious Code Infected Copay And Bitpay Wallet Apps

It was announced by the Bitpay team that a third-party NodeJs (the open-source JavaScript environment) package used by the Copay and Bitpay apps, had been modified to load malicious code, probably used to capture and steal users’ private wallet keys. The company was aware of the exposure from a GitHub issue report about an “event-stream” dependency attack.

So far, there has been a confirmation from Bitpay that the malicious code was released on its Copay and Bitpay apps from version 5.0.2 to 5.1.0. the company has however tried to reassure users, stating that the Bitpay app was not vulnerable to the malicious code.  The newly developed security update (version 5.2.0) will be made available for users in the app store. Meanwhile, the team is still investigating to know whether or not the malicious code was ever actually used against people.

The Bitpay team has issued a warning to anyone using a Copay app from version 5.0.2 to 5.1.0, not to open it again. Users are required to first update their affected wallets and then send all funds from affected wallets to the new version 5.2.0 wallets. Users are not to transfer funds to new wallets by importing affected backup phrases, they should assume that the corresponding private keys may have been compromised.

Bitcoi.com wallet users have not been affected by this issue in any way, hence they are to do nothing. “Our wallet doesn’t use the compromised ‘package,’ so we’re completely out of trouble for this one,” explains the Bitcoin.com wallet development team. “We’re operating as normal, we have never used that package and will never use it.”