The malicious code in the package caught the eye of researchers last week. Today, it has been revealed that the library was infected to steal cryptocurrency when researchers decrypted and deobfuscated the code.
Researchers found that a new component named ‘flatmap-stream’ version 0.1.1 has been infected by dangerous code. The component was added after the original developer Dominic Tarr passed on the rights of the library to another developer named right9ctrl.
According to the researchers investigating the code, targets are libraries linked to Copay Bitcoin wallet app that is available for mobile as well as desktop users.
The harmful code steals the coins in the Copay wallet and then tries to connect to copayapi.host with 18.104.22.168 IP address located in Malaysia.
Submitted by: Arnfried Walbrecht