Malicious code in any software can have major consequences. This concept also applies to code found in specific web pages. The popular Event-Stream JavaScript library currently contains a backdoor. Criminals exploiting this opportunity can steal cryptocurrency from web site visitors. This is another example of how criminals continue to explore nefarious get-rich-quick schemes.

The JavaScript Library Problem

It is safe to say this recent JavaScript backdoor discovery can have widespread consequences. The Event-Stream package is downloaded roughly 2 million times every single week. As such, the backdoor can be exploited in a major fashion. Criminals are seemingly intent on stealing funds from cryptocurrency wallets. This puts Bitcoin enthusiasts around the world at significant risk.

The exploit was discovered earlier in November. Older versions of the JavaScript library suddenly received a new component. In this “addition,” obfuscated code was found which serves to steal cryptocurrency. This malicious code has been around for over three months. The current person in charge of this library seemingly has a lot to answer for.

The Copay wallet is a target of the malicious code found in the Event-Stream JavaScript.

More specifically, the new developer is seemingly the culprit behind this backdoor. The changes were introduced on the same day he received access to the repository in question. This blatant criminal intent can pose significant problems for Bitcoin users. Primarily, the Copay wallet application for mobile and desktop is of great interest. Through the injected code, users of this wallet can have their funds stolen without recourse.

Another Exploit for Criminals

To this date, it remains unclear if anyone lost Bitcoin funds due to this JavaScript backdoor. The Copay wallet is popular, albeit not the market leader. As such, the real-world impact of this exploit may be less severe than originally assumed. It is still a worrisome development for the cryptocurrency industry as a whole. The latest Copay wallet is seemingly unaffected by this JavaScript issue.


It is not the first time criminals tried to steal funds from Bitcoin wallets via malicious code. Such events have become significantly more common in recent years. Even at the current low prices, criminals favor cryptocurrency over pursuing other financial gains due to a worldwide reach and near-instant transfers. This latest effort is, while somewhat unique, not necessarily as impactful as other attempts to obtain cryptocurrency. Cryptojacking and ransomware remain two other key threats to keep in mind.

It is good to see the Copay developers take swift action. Addressing matters like these needs to be done quickly. With the new wallet no longer suffering from this problem, user funds should be safe for the foreseeable future. It is still up to individual users to ensure they update the wallet to the new version, first and foremost. On mobile devices, this process usually happens automatically.

What do you think about this popular JavaScript being used to steal crypto? Let us know in the comments below.

Images courtesy of Shutterstock and Pixabay.

Tags: , , , , ,

Leave a Reply

We use cookies to give you the best online experience. By agreeing you accept the use of cookies in accordance with our cookie policy.