The malicious code in the package caught the eye of researchers last week. Today, it has been revealed that the library was infected to steal cryptocurrency when researchers decrypted and deobfuscated the code.
Researchers found that a new component named ‘flatmap-stream’ version 0.1.1 has been infected by dangerous code. The component was added after the original developer Dominic Tarr passed on the rights of the library to another developer named right9ctrl.
According to the researchers investigating the code, targets are libraries linked to Copay Bitcoin wallet app that is available for mobile as well as desktop users.
The harmful code steals the coins in the Copay wallet and then tries to connect to copayapi.host with 220.127.116.11 IP address located in Malaysia.
On the positive side, the new developer posted an updated version of the library two months ago without the malicious code and, therefore, there is no risk involved in downloading the library via npm manager.
As per the users on GitHub, the developer who infected the library added the code in the major version of the library and not its updated version to hide the tracks.