JavaScript Library
News | 11/29/2018

Online JavaScript Library’s Popularity utilized in stealing Cryptocurrency

About: The popular npm package, Event-Stream, contains a malicious package named flatmap-stream that crypto-coin-stealing malware code. The malicious code affects bitpay/copay a secure bitcoin wallet platform for both mobile and desktop device...  Read More  

| News | Online JavaScript Library’s Popularity utilized in stealing Cryptocurrency

Malicious JavaScript Library Downloads may have a hidden agenda!

A widely used Node.js code library listed in NPM’s warehouse of repository has been infected to include crypto-coin-stealing malware.JavaScript Library


npm is the most widely used package manager for Javascript programming language. It is the default package manager for an open source, cross platform JavaScript run-time environment Node.js.


The library in question, Event-Stream, is a popular Malicious Javascript library that scores over two million downloads every week by application programmers. The projects that use event-stream in some way should undergo a thorough check to ensure that you didn’t install and fetch the dodgy version during testing or deployment.


This vandalism is a stark reminder of dangers associated with reliable and complex webs of dependencies in software. Without proper precautions taken throughout the whole chain, an app’s security can be broken by modifying any component.

Modus operandi on the Vandalism

The Event-Stream npm package was originally created & maintained by Dominic Tarr, a New-Zeland based developer who stopped maintain the code. A developer identified as “right9control” on GitHub volunteered to take over the ownership of Event-Stream.  The JavaScript was then updated to include another module, flatmap-stream an added dependency to Event-Stream package.  Flatmap-stream was later modified to include Bitcoin-siphoning malware.

JavaScript Library

The malicious Javascript library package represents a highly targeted attack that affects an open source app called Bitpay/ Copay. Copay is a secure bitcoin wallet platform for both mobile and desktop devices. The obfuscated code attempted to drain Bitcoins from wallets.


The version 3.3.6 of Event- Stream that included flatmap-stream dependency was released on September 9 2018, and the malicious version of flatmap-stream appeared on October 5. The malicious library is known have seen nearly 8 million downloads since it was included in September 2018.


The payload has been sophisticatedly designed and is known to decrypt only when being run on a certain environment.  The injected code executed successfully when a package used by Copay was in use. The code attempts to exploit the wallet and then connect to and to the IP address based in Kuala Lumpur, Malaysia.

Javascript Library


How to cope with this Javascript loophole?

Users affected by this malicious code are recommended to eliminate this malevolent package from their application and revert back to the previous version 3.3.4 of event-stream.


Users who deal with Bitcoin applications are advised to inspect for any unauthorized transactions in the last 3 months.


Sensitive user applications should undergo an inspection for any suspicious activity in the last three months.


Unmaintained code and transferring of code ownership pose potential problems. Hence organizations should lay down strict regulations to avoid any unforeseen circumstances in future.

Update on Event-Stream Javascript library

The offending code has been removed from Event-Stream.  It appears that the rogue developer pushed an update to version 4.0.1 two months ago without the malicious code.


An updated version 5.2.2 has emerged for Copay that does not include the two troublesome JavaScript libraries

Hits: 137

Leave a Reply

Your email address will not be published. Required fields are marked *

Did you find the article informative? Yes NO

Get Regular Updates Related to All the Threats

Want to stay informed about the latest threats & malware? Sign up for our newsletter & learn how to get rid of all types of threats from your computer.

Virus Removal Guidelines
Plot No 319, Nandpuri- B Pratap Nagar
Rajasthan 302033
Phone: +91 9799661866