Hacker adds malicious bitcoin-stealing code to popular JavaScript library

An NPM package with 2 million weekly downloads had malicious code injected into it. Plus, more problems arise from the Windows 10 October 2018 Update.

Hacker adds malicious bitcoin-stealing code to popular JavaScript library
Getty Images

Tired of maintaining code that was written to be freely distributed, an “unrepentant module giver awayer” (aka developer) handed it over after GitHub dev “right9control” volunteered to take over the popular JavaScript library. The library Event-Stream, written in Node.js, has over 2 million downloads per week. The library, which was listed in NPM's repository, was then updated with malicious code that contains cryptocurrency-stealing malware.

Put another way, Event-Stream was updated to include Flatmap-Stream as a dependency. The latter was then modified to include the bitcoin-stealing malware.

Everyone using Event-Stream in their projects is urged to make sure they don’t have a tainted version and update to the latest Event-Stream version 4.0.1.

The malware “steals Bitcoin and Bitcoin Cash funds stored inside BitPay’s Copay wallet apps.” Copay issued a statement warning developers that if they are “using any Copay version from 5.0.2 to 5.1.0, you should not run or open the app.” Version 5.2.0 contains a security update. “Users should assume that private keys on affected wallets may have been compromised,” so Copay advised to immediately send all crypto funds from affected wallets to a brand-new wallet based on version 5.2.0.

More cybersecurity news:

Windows 10 October 2018 Update causes more issues

Another day, another set of problems caused by Windows 10 October 2018 Update. This time, Windows 10 version 1809 has been blamed for breaking the seek bar in Windows Media Player, as well as breaking some Win32 defaults. The Register reported, “In some cases, Microsoft Notepad or other Win32 programs cannot be set as the default.” Microsoft hasn’t said how widespread the issue is but claimed that retrying to set the default applications “will succeed.”

Given the side effects of Windows 10 Updates, it's recommended that you wait at least seven days if not more before installing quality updates. Change your settings to control when Windows Updates are installed.

Microsoft outage postmortem

Microsoft explained that a trio of bugs were responsible for knocking out Azure and Office 365 for 14 hours last week.

2 hospitals hit with ransomware over the weekend

Two hospitals — Ohio Regional Hospital in Wheeling, West Virginia, and Ohio Valley Medical Center in Martins Ferry, Ohio, both of which are owned by Ohio Valley Health Services & Education Corp. — were hit with ransomware attacks on Nov. 23. No patient data was compromised, the hospitals said. Few details have been released other than the issue reportedly was expected to be resolved by Nov. 25.

7 countries accuse Google of GDRP violations

Consumer groups from seven European organizations will file GDRP complaints against Google for tracking the movements of millions of users even when “Location History” is turned off.

As for GDRP fines, German social media platform Knuddels was hit with a GDRP fine after a data breach exposed the personal information of 330,000 users. Their email addresses and passwords had been stored in plain text.

9 nations grill Facebook exec over election meddling, spread of fake news

Shortly after British Parliament seized a cache of Facebook documents, one of Facebook’s European executives faced an “international grand committee” made of legislators from nine nations to answer for Facebook’s role in election meddling and the spreading of disinformation. One of the seized documents revealed, “An engineer at Facebook notified the company in October of 2014 that an entity with Russian IP addresses had been using a Pinterest API key to pull over three billion data points a day.”

SUBSCRIBE! Get the best of CSO delivered to your email inbox.