FallingSnow on GitHub found some suspicious code in a version of an NPM package called flatmap-stream. After further analysis, it appears that the code was targeting users of the copay-dash. Nicolas Noble summed up what this attack does:
So, for people who try to understand what the malicious payload is doing: it's basically crawling your dependencies for a peer dependency on the package copay-dash, and it's an attack basically crafted towards this package. If your overall application has both this malicious package and "copay-dash", then it's going to try stealing the bitcoins stored in it.
https://github.com/dominictarr/event-stream/issues/116#issuecomment-441749105
tldr: if you know how to use GitHub and NPM, check the repo for your cryptocurrency wallet. If it uses an affected version of these libraries, you should raise an issue with the wallet developer.
No comments:
Post a Comment