A hacker has gained legitimate access to a popular JavaScript library and has injected malicious code that steals Bitcoin and Bitcoin Cash funds stored inside BitPay’s Copay wallet apps, ZDNet reported.

The library loading the malicious code is named Event-Stream, a JavaScript npm package for working with Node.js streaming data.

This is an extremely popular JavaScript library, with over two million weekly downloads on the npmjs.com repository, but about three months ago, its original author, due to a lack of time and interest, handed its development over to another programmer named Right9ctrl.

But according to an eagle-eyed user who spotted issues with Event-Stream last week, Right9ctrl had immediately poisoned the library with malicious code.

The presence of this malicious code was identified earlier, but only recently have researchers been able to understand what the heavily obfuscated malicious code actually does

According to users on Twitter, GitHub, and Hacker News, this malicious code lays dormant until it’s used inside the source code of Copay, a desktop and mobile wallet app developed by Bitcoin payment platform BitPay.

Once the malicious code has been compiled and shipped inside poisoned versions of the Copay wallet app, it will steal users’ wallet information, including private keys, and send it to the copayapi.host URL on port 8080.

Project maintainers who use these two libraries are advised to update their dependency trees to the latest version available.

The malicious Event-Stream v3.3.6 has also been taken down from npmjs.com, but the Event-Stream library is still available.