If you're a user of the Copay wallet software, a recent change to one of the libraries that software relies on was just recently discovered to be a malicious exploit attempting to steal Bitcoins from user's wallets.
Keep an eye on that thread for updates; no updates yet from Copay; corresponding issue reported here: https://github.com/bitpay/copay/issues/9346
UPDATE: Copay developers have marked the issue as resolved, and have mentioned that no released version of the application relied on that malicious package. So, if you have only ever used the released executable for Copay (never built the application from source), you should be good there. However, there are several projects that forked from the Copay source code, including copay-dash
and fcash-pay
that might be vulnerable still.
The exploit code scraped all public keys from the wallet file upon launch, and then waited for an "unlock" event to be triggered, and grabbed the private key from the response, and sent it to a remote server (presumably under the control of the attacker). Notably, the exploit only attempts to harvest private keys from accounts that have less than 100 BTC or less than 1,000 BCH in them.
No comments:
Post a Comment