Popular NPM library hacked – BTC wallet unsafe

Maja Mazur
Article by

On November 26th, one of the users of a popular free NPM library noticed a problem and notified the page’s security team. Discovered malicious addition to the code was an attempt to steal cryptocurrency means from people’s wallets. The whole plot has been planned since September.

Hunting for programmers

Unfortunately, hacking attempts happen in the cryptocurrency world quite often. Big money is an appealing prey for all the scammers and online criminals. A couple of days ago, disturbing news spread in the cryptocurrency community. One of the event-stream library was hacked and the cryptocurrency holders were the target. A platform like this attracts hackers because it’s used by many people.

NPM manager is a code library for Node.js system, downloaded roughly 2 million times every week. Programmers use it because it’s a much easier way to get a certain part of a code than writing it from scratch. The library offers reusable elements of the code, which you can later implement into your own projects.

The timeline

The whole hacking process began in September. NMP is a totally free library, which means that its creator doesn’t make any profits from it. In September, he was offered help in administrating the website, which he accepted. The new developer (under a username right9control) proposed an update and as a result implemented a flatmap-stream into the event-stream. Turns out the implementation contained a malicious package.

It was only discovered two months later by a user called FallingSnow who flagged the problem in a GitHub post. He was identified as Ayrton Sparling, a computer science student at California State University.

What actually happened

The malicious package was distributed through the website for over two months. It was supposedly searching access to users’ wallets, more specifically, a Copay Bitcoin wallet. The injected code was targeting developers who were storing a significant amount of cryptocurrency coins in their wallets. It was supposed to steal private keys so the scammers could withdraw money from the accounts. The code was also designed to select wallets that had a balance of more than 100 Bitcoin or 1000 Bitcoin Cash. That proves the hackers were focused on large sums.

Developers are actually a perfect target of cryptocurrency thefts. Why? Well, because they usually are the ones to store coins. Being interested in the IT world and new technologies, they often get engaged in trading. So if you are a programmer and own a cryptocurrency – be careful what you do online.


If you want to comment this article, visit our Blockchain24.co forum!

The blockchain24.co site shall not be held responsible for any consequences resulting from the use of data contained in the pages of the site.