What wallets are affected by the NPM package vulnerability?











up vote
6
down vote

favorite












Recently, a vulnerability was found in an open-source project used by some bitcoin wallet software (such as CoPay and BitPay).



Are there any other wallets known to be affected by this vulnerability?



If I am a user of this software, what steps can I take to secure my bitcoin?










share|improve this question


























    up vote
    6
    down vote

    favorite












    Recently, a vulnerability was found in an open-source project used by some bitcoin wallet software (such as CoPay and BitPay).



    Are there any other wallets known to be affected by this vulnerability?



    If I am a user of this software, what steps can I take to secure my bitcoin?










    share|improve this question
























      up vote
      6
      down vote

      favorite









      up vote
      6
      down vote

      favorite











      Recently, a vulnerability was found in an open-source project used by some bitcoin wallet software (such as CoPay and BitPay).



      Are there any other wallets known to be affected by this vulnerability?



      If I am a user of this software, what steps can I take to secure my bitcoin?










      share|improve this question













      Recently, a vulnerability was found in an open-source project used by some bitcoin wallet software (such as CoPay and BitPay).



      Are there any other wallets known to be affected by this vulnerability?



      If I am a user of this software, what steps can I take to secure my bitcoin?







      copay bitpay weaknesses






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked Nov 27 at 11:12









      chytrik

      5,7772523




      5,7772523






















          1 Answer
          1






          active

          oldest

          votes

















          up vote
          7
          down vote



          accepted










          Only Copay is affected by this vulnerability.



          Although the package was included by many, many projects (both within and outside the crypto space), the attack payload was encrypted, and used the package description as a decryption key. They key in question was found to be (via brute force) A Secure Bitcoin Wallet, which is the npm description for the copay-dash package.



          Thus, packages which did not have that as their description would be unable to decrypt, and hence execute, the payload.



          Note that such attacks are feasible on any package that does not verify and pin its dependencies, even outside the nodejs ecosystem. Developers should work to ensure that they are importing vetted code, and pin (or even vendor) their dependencies. This is especially important for programs that deal with private keys.






          share|improve this answer





















          • Can you define the verb "vendor"? I could only find the noun in major dictionaries.
            – Kevin
            Nov 27 at 15:42






          • 1




            @Kevin Vendoring means to keep a copy of a specific version of an external code dependency within your repository, so that you are always sure of what code you are running. It also prevents a third party from changing code without changing the version number and slipping it into your application.
            – Raghav Sood
            Nov 27 at 16:09






          • 1




            Ah. We do that all the time. It also makes it easier to fork the dependency and/or submit pull requests (which can be a double-edged sword if you don't have enough people or expertise to support a fork, but at least it gives you options).
            – Kevin
            Nov 27 at 16:15






          • 2




            I think "self-hosting" is a clearer, more common term for what you call "vendoring" here, unless that's an established term in the JS community.
            – Nic Hartley
            Nov 27 at 18:09






          • 1




            I picked vendoring based on what we call it in golang, I'm not 100% certain if the js folks have a specific term for it.
            – Raghav Sood
            Nov 27 at 18:17











          Your Answer








          StackExchange.ready(function() {
          var channelOptions = {
          tags: "".split(" "),
          id: "308"
          };
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function() {
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled) {
          StackExchange.using("snippets", function() {
          createEditor();
          });
          }
          else {
          createEditor();
          }
          });

          function createEditor() {
          StackExchange.prepareEditor({
          heartbeatType: 'answer',
          convertImagesToLinks: false,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: null,
          bindNavPrevention: true,
          postfix: "",
          imageUploader: {
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          },
          noCode: true, onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          });


          }
          });














          draft saved

          draft discarded


















          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fbitcoin.stackexchange.com%2fquestions%2f81407%2fwhat-wallets-are-affected-by-the-npm-package-vulnerability%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown

























          1 Answer
          1






          active

          oldest

          votes








          1 Answer
          1






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes








          up vote
          7
          down vote



          accepted










          Only Copay is affected by this vulnerability.



          Although the package was included by many, many projects (both within and outside the crypto space), the attack payload was encrypted, and used the package description as a decryption key. They key in question was found to be (via brute force) A Secure Bitcoin Wallet, which is the npm description for the copay-dash package.



          Thus, packages which did not have that as their description would be unable to decrypt, and hence execute, the payload.



          Note that such attacks are feasible on any package that does not verify and pin its dependencies, even outside the nodejs ecosystem. Developers should work to ensure that they are importing vetted code, and pin (or even vendor) their dependencies. This is especially important for programs that deal with private keys.






          share|improve this answer





















          • Can you define the verb "vendor"? I could only find the noun in major dictionaries.
            – Kevin
            Nov 27 at 15:42






          • 1




            @Kevin Vendoring means to keep a copy of a specific version of an external code dependency within your repository, so that you are always sure of what code you are running. It also prevents a third party from changing code without changing the version number and slipping it into your application.
            – Raghav Sood
            Nov 27 at 16:09






          • 1




            Ah. We do that all the time. It also makes it easier to fork the dependency and/or submit pull requests (which can be a double-edged sword if you don't have enough people or expertise to support a fork, but at least it gives you options).
            – Kevin
            Nov 27 at 16:15






          • 2




            I think "self-hosting" is a clearer, more common term for what you call "vendoring" here, unless that's an established term in the JS community.
            – Nic Hartley
            Nov 27 at 18:09






          • 1




            I picked vendoring based on what we call it in golang, I'm not 100% certain if the js folks have a specific term for it.
            – Raghav Sood
            Nov 27 at 18:17















          up vote
          7
          down vote



          accepted










          Only Copay is affected by this vulnerability.



          Although the package was included by many, many projects (both within and outside the crypto space), the attack payload was encrypted, and used the package description as a decryption key. They key in question was found to be (via brute force) A Secure Bitcoin Wallet, which is the npm description for the copay-dash package.



          Thus, packages which did not have that as their description would be unable to decrypt, and hence execute, the payload.



          Note that such attacks are feasible on any package that does not verify and pin its dependencies, even outside the nodejs ecosystem. Developers should work to ensure that they are importing vetted code, and pin (or even vendor) their dependencies. This is especially important for programs that deal with private keys.






          share|improve this answer





















          • Can you define the verb "vendor"? I could only find the noun in major dictionaries.
            – Kevin
            Nov 27 at 15:42






          • 1




            @Kevin Vendoring means to keep a copy of a specific version of an external code dependency within your repository, so that you are always sure of what code you are running. It also prevents a third party from changing code without changing the version number and slipping it into your application.
            – Raghav Sood
            Nov 27 at 16:09






          • 1




            Ah. We do that all the time. It also makes it easier to fork the dependency and/or submit pull requests (which can be a double-edged sword if you don't have enough people or expertise to support a fork, but at least it gives you options).
            – Kevin
            Nov 27 at 16:15






          • 2




            I think "self-hosting" is a clearer, more common term for what you call "vendoring" here, unless that's an established term in the JS community.
            – Nic Hartley
            Nov 27 at 18:09






          • 1




            I picked vendoring based on what we call it in golang, I'm not 100% certain if the js folks have a specific term for it.
            – Raghav Sood
            Nov 27 at 18:17













          up vote
          7
          down vote



          accepted







          up vote
          7
          down vote



          accepted






          Only Copay is affected by this vulnerability.



          Although the package was included by many, many projects (both within and outside the crypto space), the attack payload was encrypted, and used the package description as a decryption key. They key in question was found to be (via brute force) A Secure Bitcoin Wallet, which is the npm description for the copay-dash package.



          Thus, packages which did not have that as their description would be unable to decrypt, and hence execute, the payload.



          Note that such attacks are feasible on any package that does not verify and pin its dependencies, even outside the nodejs ecosystem. Developers should work to ensure that they are importing vetted code, and pin (or even vendor) their dependencies. This is especially important for programs that deal with private keys.






          share|improve this answer












          Only Copay is affected by this vulnerability.



          Although the package was included by many, many projects (both within and outside the crypto space), the attack payload was encrypted, and used the package description as a decryption key. They key in question was found to be (via brute force) A Secure Bitcoin Wallet, which is the npm description for the copay-dash package.



          Thus, packages which did not have that as their description would be unable to decrypt, and hence execute, the payload.



          Note that such attacks are feasible on any package that does not verify and pin its dependencies, even outside the nodejs ecosystem. Developers should work to ensure that they are importing vetted code, and pin (or even vendor) their dependencies. This is especially important for programs that deal with private keys.







          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered Nov 27 at 11:26









          Raghav Sood

          6,64911127




          6,64911127












          • Can you define the verb "vendor"? I could only find the noun in major dictionaries.
            – Kevin
            Nov 27 at 15:42






          • 1




            @Kevin Vendoring means to keep a copy of a specific version of an external code dependency within your repository, so that you are always sure of what code you are running. It also prevents a third party from changing code without changing the version number and slipping it into your application.
            – Raghav Sood
            Nov 27 at 16:09






          • 1




            Ah. We do that all the time. It also makes it easier to fork the dependency and/or submit pull requests (which can be a double-edged sword if you don't have enough people or expertise to support a fork, but at least it gives you options).
            – Kevin
            Nov 27 at 16:15






          • 2




            I think "self-hosting" is a clearer, more common term for what you call "vendoring" here, unless that's an established term in the JS community.
            – Nic Hartley
            Nov 27 at 18:09






          • 1




            I picked vendoring based on what we call it in golang, I'm not 100% certain if the js folks have a specific term for it.
            – Raghav Sood
            Nov 27 at 18:17


















          • Can you define the verb "vendor"? I could only find the noun in major dictionaries.
            – Kevin
            Nov 27 at 15:42






          • 1




            @Kevin Vendoring means to keep a copy of a specific version of an external code dependency within your repository, so that you are always sure of what code you are running. It also prevents a third party from changing code without changing the version number and slipping it into your application.
            – Raghav Sood
            Nov 27 at 16:09






          • 1




            Ah. We do that all the time. It also makes it easier to fork the dependency and/or submit pull requests (which can be a double-edged sword if you don't have enough people or expertise to support a fork, but at least it gives you options).
            – Kevin
            Nov 27 at 16:15






          • 2




            I think "self-hosting" is a clearer, more common term for what you call "vendoring" here, unless that's an established term in the JS community.
            – Nic Hartley
            Nov 27 at 18:09






          • 1




            I picked vendoring based on what we call it in golang, I'm not 100% certain if the js folks have a specific term for it.
            – Raghav Sood
            Nov 27 at 18:17
















          Can you define the verb "vendor"? I could only find the noun in major dictionaries.
          – Kevin
          Nov 27 at 15:42




          Can you define the verb "vendor"? I could only find the noun in major dictionaries.
          – Kevin
          Nov 27 at 15:42




          1




          1




          @Kevin Vendoring means to keep a copy of a specific version of an external code dependency within your repository, so that you are always sure of what code you are running. It also prevents a third party from changing code without changing the version number and slipping it into your application.
          – Raghav Sood
          Nov 27 at 16:09




          @Kevin Vendoring means to keep a copy of a specific version of an external code dependency within your repository, so that you are always sure of what code you are running. It also prevents a third party from changing code without changing the version number and slipping it into your application.
          – Raghav Sood
          Nov 27 at 16:09




          1




          1




          Ah. We do that all the time. It also makes it easier to fork the dependency and/or submit pull requests (which can be a double-edged sword if you don't have enough people or expertise to support a fork, but at least it gives you options).
          – Kevin
          Nov 27 at 16:15




          Ah. We do that all the time. It also makes it easier to fork the dependency and/or submit pull requests (which can be a double-edged sword if you don't have enough people or expertise to support a fork, but at least it gives you options).
          – Kevin
          Nov 27 at 16:15




          2




          2




          I think "self-hosting" is a clearer, more common term for what you call "vendoring" here, unless that's an established term in the JS community.
          – Nic Hartley
          Nov 27 at 18:09




          I think "self-hosting" is a clearer, more common term for what you call "vendoring" here, unless that's an established term in the JS community.
          – Nic Hartley
          Nov 27 at 18:09




          1




          1




          I picked vendoring based on what we call it in golang, I'm not 100% certain if the js folks have a specific term for it.
          – Raghav Sood
          Nov 27 at 18:17




          I picked vendoring based on what we call it in golang, I'm not 100% certain if the js folks have a specific term for it.
          – Raghav Sood
          Nov 27 at 18:17


















          draft saved

          draft discarded




















































          Thanks for contributing an answer to Bitcoin Stack Exchange!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid



          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.


          To learn more, see our tips on writing great answers.





          Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


          Please pay close attention to the following guidance:


          • Please be sure to answer the question. Provide details and share your research!

          But avoid



          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.


          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fbitcoin.stackexchange.com%2fquestions%2f81407%2fwhat-wallets-are-affected-by-the-npm-package-vulnerability%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          Popular posts from this blog

          AnyDesk - Fatal Program Failure

          How to calibrate 16:9 built-in touch-screen to a 4:3 resolution?

          QoS: MAC-Priority for clients behind a repeater