{
	"id": "4522d3b6-4f31-42e3-997b-0f8190d95d0b",
	"created_at": "2026-04-06T02:11:13.450067Z",
	"updated_at": "2026-04-10T03:20:19.775913Z",
	"deleted_at": null,
	"sha1_hash": "72a53aec0d3b49bd7ee8862f03f7ee13da7b0916",
	"title": "Hacker Infects Node.js Package to Steal from Bitcoin Wallets",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 317944,
	"plain_text": "Hacker Infects Node.js Package to Steal from Bitcoin Wallets\r\nArchived: 2026-04-06 01:51:33 UTC\r\nA Node.js module with nearly two million downloads a\r\nweek was compromised after the library was injected with malicious code programmed to steal bitcoins in wallet\r\napps.\r\nThe Node.js library is called “event-stream,” a toolkit for developers to create and work with streams. The\r\nmalicious code in question was identified earlier this week to be added to the library’s version 3.3.6, published in\r\nSeptember and has since been downloaded by millions of application programmers.\r\nThe event-stream module was originally by Dominic Tarr, who maintained the library before handing the reins to\r\na project contributor who goes by the handle “right9ctrl.” Tarr indicated that he has not used the module for years\r\nand transferred its ownership after he received an email regarding its maintenance. The new maintainer has since\r\nreleased event-stream version 3.3.6, with a new dependency called “flatmap-stream” that contained the malicious\r\ncode.\r\nSince the flatmap-stream module was encrypted, the malicious code remained undetected for over two months\r\nuntil Ayrton Sparling (FallingSnow) flagged the issue on GitHub last week.\r\nOpen-source project manager and event-stream host Node Package Manager (NPM) has since reviewed the\r\nobfuscated code and encrypted payload. NPM found that the malicious module has been designed to swipe\r\nbitcoins from Copay wallets, a wallet app by Bitcoin payment platform BitPay. Copay is said to have incorporated\r\nevent-stream into its app.\r\nThe malicious code attempted to steal bitcoins stored in the Copay wallets and distributed via NPM in order to\r\nreportedly transfer the funds to a server located in Kuala Lumpur.\r\nThe backdoor has since been removed from NPM on Monday this week. BitPay has also published an advisory\r\nthat users should update their Copay wallets (versions 5.0.2 through 5.1.0) to version 5.2.0 as the older versions\r\nmay have been compromised. The company also clarified that the BitPay app was not affected by the malicious\r\ncode.\r\nDefending Against Cryptocurrency-Mining Malware\r\nhttps://www.trendmicro.com/vinfo/dk/security/news/cybercrime-and-digital-threats/hacker-infects-node-js-package-to-steal-from-bitcoin-wallets\r\nPage 1 of 2\n\nCopay users are advised to avoid running or opening affected versions (5.0.2 to 5.1.0) and immediately update\r\ntheir wallets to version 5.2.0. Users who ran the vulnerable versions of the software should assume that their\r\nprivate keys have been affected by the malware and should move their funds to Copay 5.2.0 or later.\r\nThis incident highlights how an attacker can stealthily infect systems with cryptocurrency mining-malware. The\r\nhacker here has gained access to a popular JavaScript library to steal coins in wallet apps. Aside from stolen funds,\r\nmachines infected by cryptocurrency-mining malware can cause significant performance issues. Users can\r\nconsider adopting security solutions that can defend against cryptocurrency-mining malware through a cross-generational blend of threat defense techniques. Trend Micro™ XGen™ security provides high-fidelity machine\r\nlearning that can secure the gateway and endpoint, and protect physical, virtual, and cloud workloads. With\r\ntechnologies that employ web/URL filtering, behavioral analysis, and custom sandboxing, XGen security offers\r\nprotection against ever-changing threats that bypass traditional controls and exploit known and unknown\r\nvulnerabilities. XGen security also powers Trend Micro’s suite of security solutions: Hybrid Cloud Security, User\r\nProtection, and Network Defense.\r\nTrend Micro™ Deep Discovery Inspector™ protects customers via this DDI rule:\r\nDDI Rule ID 26: C\u0026C callback attempt\r\nIndicators of Compromise (IoCs)\r\nRelated hashes (SHA-256):\r\nafc100fb28f7bac05e41d9ae33f184502b8068642b7fd05970eb72bf1786892c -\r\nCoinminer.Win32.MALBTC.AA\r\n8b90859b19e3e3dea8d923996709210ed48ff3249563f56ff12eb1936ffcc295 -\r\nCoinminer.Win32.MALBTC.AA\r\nHIDE\r\nLike it? Add this infographic to your site:\r\n1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your\r\npage (Ctrl+V).\r\nImage will appear the same size as you see above.\r\nSource: https://www.trendmicro.com/vinfo/dk/security/news/cybercrime-and-digital-threats/hacker-infects-node-js-package-to-steal-from-bitco\r\nin-wallets\r\nhttps://www.trendmicro.com/vinfo/dk/security/news/cybercrime-and-digital-threats/hacker-infects-node-js-package-to-steal-from-bitcoin-wallets\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://www.trendmicro.com/vinfo/dk/security/news/cybercrime-and-digital-threats/hacker-infects-node-js-package-to-steal-from-bitcoin-wallets"
	],
	"report_names": [
		"hacker-infects-node-js-package-to-steal-from-bitcoin-wallets"
	],
	"threat_actors": [],
	"ts_created_at": 1775441473,
	"ts_updated_at": 1775791219,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/72a53aec0d3b49bd7ee8862f03f7ee13da7b0916.pdf",
		"text": "https://archive.orkl.eu/72a53aec0d3b49bd7ee8862f03f7ee13da7b0916.txt",
		"img": "https://archive.orkl.eu/72a53aec0d3b49bd7ee8862f03f7ee13da7b0916.jpg"
	}
}