Atlanta-based Bitcoin payment service provider BitPay has issued a warning against a third-party NodeJS package used by both BitPay and Copay apps that can potentially compromise users’ private keys.
According to the company, the malicious code was executed on Copay and BitPay apps’ version 5.0.2 through 5.1.0. Due to the level of risk that could potentially expose users’ private keys to security breaches, BitPay advised users to immediately transfer their funds to new digital wallets (v5.2.0) and avoid importing infected wallets’ backup phrases which could also be compromised.
As the company warned:
“Users should not attempt to move funds to new wallets by importing affected wallets’ twelve word backup phrases (which correspond to potentially compromised private keys). Users should first update their affected wallets (5.0.2-5.1.0) and then send all funds from affected wallets to a brand new wallet on version 5.2.0, using the Send Max feature to initiate transactions of all funds.”
As the company explained in its official statement published November 26, the BitPay team is currently looking into any potential attack that the malicious code might have executed, stating that:
“Currently, we have only confirmed that the malicious code was deployed on versions 5.0.2 through 5.1.0 of our Copay and BitPay apps. However, the BitPay app was not vulnerable to the malicious code. We are still investigating whether this code vulnerability was ever exploited against Copay users.”
Furthermore, the company advised users against using infected Copay versions until BitPay has released a security update in the app stores.
As the company detailed further:
“Our team is continuing to investigate this issue and the extent of the vulnerability. In the meantime, if you are using any Copay version from 5.0.2 to 5.1.0, you should not run or open the app. A security update version (5.2.0) has been released and will be available for all Copay and BitPay wallet users in the app stores momentarily.”
The malware was initially discovered through a Copay GitHub issue report. As one GitHub user described in a comment, the code “was really sneaky, and only triggering the upload of the private keys for wallets that had genuinely over 100 BTC in there.”
“Narrowly escaped a mass theft/liquidation event. Network egress monitoring would be good to add to automated tests if not already part of the build validation process,” GitHub user atomantic said.
In April, BitPay has also issued a warning against a trojan horse that has impacted a number of Bitcoin transactions facilitated through the payment service platform. While the trojan did not proliferate across Bitcoin wallets or the payment system itself, it has so far infected Windows users like most types of ransomware.