Statement on NPM Package Vulnerability in v5.0.2-5.1.0 of Copay Wallets

We have learned from a Copay GitHub issue report that a third-party NodeJS package used by the Copay and BitPay apps had been modified to load malicious code which could be used to capture users’ private keys. Currently we have only confirmed that the malicious code was deployed on versions 5.0.2 through 5.1.0 of our Copay and BitPay apps. However, the BitPay app was not vulnerable to the malicious code. We are still investigating whether this code vulnerability was ever exploited against Copay users.

Our team is continuing to investigate this issue and the extent of the vulnerability. In the meantime, if you are using any Copay version from 5.0.2 to 5.1.0, you should not run or open the app. A security update version (5.2.0) has been released and will be available for all Copay and BitPay wallet users in the app stores momentarily.

Users should assume that private keys on affected wallets have been compromised, so they should move to new wallets (v5.2.0) immediately. Users should not attempt to move to new by importing affected wallets’ twelve word backup phrases (which correspond to potentially compromised private keys). Users should first update their affected wallets (5.0.2-5.1.0) and then send all from affected to a brand new BitPay or Copay wallet on version 5.2.0, using the Send Max feature to initiate transactions of all funds.

UPDATE, 12/12/18: Version 5.3.1 of Copay and BitPay now have security updates that both NPM dependencies and network vulnerabilities. Read the full blog post.

UPDATE, 11/28/18: Some readers have misunderstood the final sentence of the advisory. Users do not need to move to different wallet platforms. Version 5.2.0 of the BitPay and Copay apps has removed the malicious code and will generate the secure needed to receive funds from affected wallets/private keys. We have updated the final sentence of the post to reflect that we recommend that “brand new wallets” be generated from BitPay or Copay v5.2.0 or greater.

Post written by our friend The BitPay Team and Syndicated from
Ledger Nano S - The secure hardware wallet

Syndicated from

Add a Comment

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.