Copay, a popular cryptocurrency wallet distributed by the payments platform company Bitpay, revealed a severe security breach today, potentially causing the loss of users’ digital assets. The issue was caused by unaudited, malicious code uploaded by hackers in a recently- released update to the app.
According to reports, this security breach was caused by a hacker deploying malicious code to gain access rights to a popular JavaScript library called “Event-Stream”.
Event-Stream is a npm JavaScript package from Node.js. Despite its vulnerabilities to malicious programs, the JavaScript library is very popular with developers and has more than 2 million weekly downloads on the npm.org repository.
Darker, Chief Security Officer for Cobo Wallet, said that the attack is very covert and difficult to prevent. He called for blockchain infrastructure developers, including wallets, to raise awareness of development safety and security.
Cobo Wallet, a mobile software wallet for cryptocurrency owners, does not reference the “Event-Stream” JavaScript library, according to Darker. Despite this, Cobo has implemented additional security measures to prevent this type of attack. New versions of the Cobo third-party package management tool npm will be scanned by nsp and NodejsScan.
According to Darker, Cobo already periodically has its software and web assets audited by Cure53, a well-known German cybersecurity team that has also worked with companies like Google.
Cobo also pays equal attention to third-party package management tools such as pip by holding regular development security training and employing automated security scanning tools. The Cobo development team also routinely reviews source code internally, in line with the security development process (security development lifecycle) to maximize the security of Cobo users’ assets.
“At the very least, current Copay wallet users should update their Copay to 5.2.0 or use their desktop version to transfer digital assets,” Darker said. “Alternatively, they could try out a safer solution like Cobo Wallet.”