So this hack is actually kind of beautiful, from an engineering standpoint. It is meant to only trigger when run by a certain bitcoin wallet package, which has the original affected package as a dependency. The code then grabs your wallets private key. It requires the malicious code through an obfuscated require call. Which then only tries to do bad things if it reads a certain npm package description, the one from copay I believe. Equally beautiful and malicious.
The REAL kicker is that the malicious code only lived in the minified source of the flatmap-stream package. It was only able to decode and run when it hit the proper NPM package description.
The culprit loaded in malicious code into a widely used package distributed over loads of projects to hit a single package that used it as a dependency.
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
So this hack is actually kind of beautiful, from an engineering standpoint. It is meant to only trigger when run by a certain bitcoin wallet package, which has the original affected package as a dependency. The code then grabs your wallets private key. It requires the malicious code through an obfuscated
require
call. Which then only tries to do bad things if it reads a certain npm package description, the one fromcopay
I believe. Equally beautiful and malicious.The REAL kicker is that the malicious code only lived in the minified source of the
flatmap-stream
package. It was only able to decode and run when it hit the proper NPM package description.The culprit loaded in malicious code into a widely used package distributed over loads of projects to hit a single package that used it as a dependency.