The Copay wallet from U.S.-based bitcoin payments processor BitPay has been compromised by a hacker, the firm says.
The malware was deployed on versions 5.0.2 through 5.1.0 of its Copay and BitPay wallet apps, and could potentially be used to capture private keys to steal bitcoin and bitcoin cash.
The firm is asking users to not run or open the Copay wallet if they are using versions from 5.0.2 to 5.1.0. It has now released an updated version (5.2.0) without the malicious code for all Copay and BitPay wallet users that will be available in app stores "momentarily."
BitPay stressed: “Users should assume that private keys on affected wallets may have been compromised, so they should move funds to new wallets (v5.2.0) immediately.”
Bitpay has also advised users to not move any funds to new wallets by importing their 12-word backup phrases, since they correspond to "potentially compromised private keys.”
“Users should first update their affected wallets (5.0.2-5.1.0) and then send all funds from affected wallets to a brand new wallet on version 5.2.0, using the Send Max feature to initiate transactions of all funds,” it explained.
The attack appears to have been carried out by a supposed developer called Right9ctrl who took over maintenance of the NodeJS library from its author who no longer had time for the work, ZDNet reports. The social engineering attack occurred about three months ago when Right9ctrl was granted access to the repository, at which point they injected the malware.
Code image via Shutterstock
The leader in news and information on cryptocurrency, digital assets and the future of money, CoinDesk is a media outlet that strives for the highest journalistic standards and abides by a strict set of editorial policies. CoinDesk is an independent operating subsidiary of Digital Currency Group, which invests in cryptocurrencies and blockchain startups. As part of their compensation, certain CoinDesk employees, including editorial employees, may receive exposure to DCG equity in the form of stock appreciation rights, which vest over a multi-year period. CoinDesk journalists are not allowed to purchase stock outright in DCG.