Rogue Developer Infects Widely Used NodeJS Module to Steal Bitcoins


#1

Rogue Developer Infects Widely Used NodeJS Module to Steal Bitcoins (Nov 26, 2018)

The open source JavaScript run-time environment, “Node.js,” was observed to have been the victim of a rogue developer who implanted malicious code into the Node.js library “Event-Stream.” The malicious code, discovered by California State University student Ayrton Sparling, was contained inside Event-Stream version 3.3.6 inside of which was a library called “Flatmap-Stream.” The library was created purposely with malicious code designed to steal funds stored in Bitcoin wallet applications. The code, believed to have been developed by an unknown programmer known as “right9ctrl,” was pushed to Node.js on September 9, 2018 and has since garnered approximately eight million downloads.

Recommendation: As of this writing, officials from the open source project manager that hosted the Event-Stream library, Node Package Manager (NPM), have stated that the malicious library has been removed from its listings. The Bitcoin payment service provider, BitPay, has issued an advisory in which in warns all of its users to assume that their private keys have been compromised and to move fund to new wallets in updated version 5.2.0 as soon as possible.

Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.