So this hack is actually kind of beautiful, from an engineering standpoint. It is meant to only trigger when run by a certain bitcoin wallet package, which has the original affected package as a dependency. The code then grabs your wallets private key. It requires the malicious code through an obfuscated require call. Which then only tries to do bad things if it reads a certain npm package description, the one from copay I believe. Equally beautiful and malicious.
The REAL kicker is that the malicious code only lived in the minified source of the flatmap-stream package. It was only able to decode and run when it hit the proper NPM package description.
The culprit loaded in malicious code into a widely used package distributed over loads of projects to hit a single package that used it as a dependency.
For further actions, you may consider blocking this person and/or reporting abuse
We're a blogging-forward open source social network where we learn from one another
So this hack is actually kind of beautiful, from an engineering standpoint. It is meant to only trigger when run by a certain bitcoin wallet package, which has the original affected package as a dependency. The code then grabs your wallets private key. It requires the malicious code through an obfuscated
requirecall. Which then only tries to do bad things if it reads a certain npm package description, the one fromcopayI believe. Equally beautiful and malicious.The REAL kicker is that the malicious code only lived in the minified source of the
flatmap-streampackage. It was only able to decode and run when it hit the proper NPM package description.The culprit loaded in malicious code into a widely used package distributed over loads of projects to hit a single package that used it as a dependency.