Copay and Bitpay Wallet Apps Were Infected With Malicious Code
A developer has injected a piece of malicious code into the software used by the popular Copay and Bitpay wallets. The safety of the Bitcoin.com wallet was not compromised and the Bitpay app was not vulnerable to the attack, but Copay users need to take precautionary actions.
Someone Might Have Been Able to Steal Private Keys
The Bitpay team has announced that a third-party NodeJS (the open-source Java Script environment) package used by the Copay and BitPay apps had been modified to load malicious code. This could have been used to capture and steal users’ private wallet keys. The company learned about the vulnerability from a GitHub issue report about an “event-stream” dependency attack.
Bitpay has only confirmed so far that the malicious code was deployed on its Copay and Bitpay apps from version 5.0.2 to 5.1.0. However, the company has tried to reassure users by saying that the Bitpay app was not vulnerable to the malicious code. A security update (version 5.2.0) has been developed and will be made available for users in the app stores. And the team is still investigating to figure out if the malicious code was ever actually used against people.
What Copay Wallet Users Need to Do Now to Keep Safe
The Bitpay team warns that anyone using a Copay app from version 5.0.2 to 5.1.0 should not open it again. Users should first update their affected wallets and then send all funds from affected wallets to new version 5.2.0 wallets. Users should not attempt to move funds to new wallets by importing affected backup phrases, as they should assume that the corresponding private keys may have been compromised.
If you use the Bitcoin.com wallet you have not been affected by this issue at all, so you don’t need to do anything. “Our wallet doesn’t use the compromised ‘package,’ so we’re completely out of trouble for this one,” explains the Bitcoin.com wallet development team. “We’re operating as normal, we have never used that package and will never use it.”