EventStream npm: Malicious Code Buried in Dependency Targets Bitcoin Wallet
A malicious contributor took over a popular npm package (event-stream, 2 million downloads/week) and inserted obfuscated code targeting the Copay Bitcoin wallet app — demonstrating that open source package ownership can be weaponised.
Background
The event-stream npm package was a foundational Node.js utility used by millions of applications. Its original maintainer, Dominic Tarr, had not actively maintained it for years and accepted a handover request from a new contributor who appeared enthusiastic about taking over.
The Attack
The new contributor added a new dependency (flatmap-stream) to event-stream. The flatmap-stream package contained heavily obfuscated code that was only activated when specific conditions were met: it checked whether a Bitcoin wallet application called Copay (owned by BitPay) was the parent application. If so, it attempted to steal users' private keys and wallet balances at the moment of transactions. The malicious code was hidden in encrypted form within a test file and only decrypted at runtime. It was buried in the dependency tree three levels deep.
Response
Security researcher Ayrton Sparling discovered the malicious code in November 2018 after investigating unusual npm package behaviour. npm removed the malicious packages. BitPay pushed emergency updates to Copay. GitHub's npm security team investigated and published analysis. The malicious contributor's identity was never confirmed.
Outcome
Copay users who had the malicious version installed and conducted Bitcoin transactions between certain dates may have had wallets compromised. The incident demonstrated the extreme difficulty of auditing transitive dependencies in modern software and catalysed npm's investment in package security scanning.
Key Takeaways
- Open source package maintainers must have succession policies — do not transfer ownership to unknown contributors
- Transitive dependencies (dependencies of dependencies) receive almost no security scrutiny despite running in production
- Obfuscated code in any package — especially test files — should trigger immediate review
- Software Bill of Materials (SBOM) and automated dependency scanning are essential for supply chain risk management