NodeJS module with nearly 2 million downloads a week was compromised after one of its open-source contributor gone rogue. The malicious code was added to Event-Stream version 3.3.6, published on September 9 via NPM repository, and had since been downloaded by nearly 8 million application programmers. The module has been designed to target people using BitPay’s Bitcoin wallet app, Copay. BitPay assures its users that the BitPay app was not vulnerable to the malicious code. Users should assume that private keys on affected wallets may have been compromised so they should move funds to new wallets.
Source: https://thehackernews.com/2018/11/nodejs-event-stream-module.html