Security researcher Jacob Burroughs (@maths22), discovered that Copay-related libraries were targeted by a hacker who gained legitimate access to a widely used JavaScript library, according to GitHub.
The attacker was reportedly publishing rights to EventStream, the library loading the malicious code, which has over two million weekly downloads on the npmjs.com repository, according to ZDNet. After the attacker breached the Node.js module, they injected malicious code that stole Bitcoin and Ethereum from inside BitPay's Copay wallet apps.
“The attacker began by submitting to the project, building trust, and eventually gaining owner-level access, which enabled the attacker to push a compromised version, snarfing Bitcoin and Ethereum hot-wallet credentials so they could be stolen and used for malicious activity,” said Casey Ellis, CTO at Bugcrowd.
“The main takeaway with this attack is that in the world of modern software, it’s turtles all the way down....Just because the code you write is secure doesn’t mean that the code other developers write for you is. The only way to get ahead of this is to practice deep and continuous abuse-case (i.e., security) testing.”
Based on research from Juniper Threat Labs, there have been very few (single-digit) attempts to connect to the threat actor’s command-and-control server hosting copayapi[.]host, which could be a good sign that not many people have been affected, if any at all, said Mounir Hahad, head of Juniper Threat Labs.
While many people favor open source frameworks with the belief that multiple eyes keep the code safe, this attack is an example of the inherent risks in what is believed to be the safer alternative to proprietary software, according to Hahad.
“While this is mostly true, as this example demonstrates, supply chain attacks including those at the very source of the chain can still take place. The attack took place in September and was only discovered in November, which gave the threat actor plenty of time and resulted in millions of users downloading the infected code. The last code change from the threat actor on this library was indeed on September 20, 2018, when he removed the infected code from the most recent version of the package,” Hahad said.
“To protect against similar attacks, users of open source libraries need to stay aware of communication on security boards and the sites where they download software from and act swiftly to apply patches when an issue is discovered.”