A Node.js module called event-stream is used in millions of web applications, including BitPay’s open-source bitcoin wallet — Copay — and this module was reportedly compromised thanks to what can objectively referred to as social engineering, laziness, and incompetence.
A user with very little coding activity on GitHub requested publishing rights to the event-stream library from its previous maintainer, Dominic Tarr, who said that he had not maintained the repository in years and gave control to the new user, called right9ctrl.
The library event-stream is used in many Node.js applications. According to a complainant on GitHub, the new maintainer right9ctrl either pulled a sneaky move to inject malware or unknowingly had the same effect as if he had, that effect being that it would leak private keys from applications that relied on both the event-stream and copay-dash modules.
Ayrton Sparling wrote:
“He added flatmap-stream which is entirely (1 commit to the repo but has 3 versions, the latest one removes the injection, unmaintained, created 3 months ago) an injection targeting ps-tree. After he adds it at almost the exact same time the injection is added to flatmap-stream, he bumps the version and publishes. Literally the second commit (3 days later) after that he removes the injection and bumps a major version so he can clear the repo of having flatmap-stream but still have everyone (millions of weekly installs) using 3.x affected.”
Basically, the developer updated the module with malware and then patched the problem to avoid detection, but the numerous people who had already installed it remain affected. Copay — whose open-source code is itself used by many crypto applications — would be just one of many that use the library, but it happens to be built and maintained by a multi-million dollar Bitcoin payment processing company — BitPay — which raises questions on its own.
Why Does BitPay Use Upstream Libraries?
Those outside of open source development may have the misconception that it is all done for free due to ideals or hobbyism, but this is far from the case. The majority of major and important open source development, such as work on Bitcoin Core or work on the Linux Kernel, for instance, is done by developers who are employed by companies with a stake in the development of such software.
Companies like Red Hat contribute code to the Linux Kernel and companies like Blockstream employ Bitcoin Core developers. The reason is obvious: while they could simply wait on releases and rely on the work of others, these companies understandably have aims to achieve in development and also, most importantly, have a lot of money at stake in kernel development.
This model works for major software development, and this author believes that there is no reason it shouldn’t be applicable here. Rightfully, BitPay should arguably not be using software on a trust basis. Millions upon millions of dollars in client wallets are being entrusted to them, not upstream developers. If BitPay is not interested in actively developing libraries like event-stream, then they should use forked versions, verifying that each update is safe. Instead, as many industry stakeholders have alleged, they’ve demonstrated incompetence.