The "popular" node.js "event-stream" library was loaded with a module stealing from Copay bitcoin wallet after creator and longtime maintainer Dominic Tarr handed maintenance over to an unknown identifying itself with the text string "right9ctrl" (). Before the handover right9ctrl made a couple of contributions to event-stream building rapport with Tarr. After getting the keys to the repository right9ctrl added a dependency in event-stream on a new "flatmap-stream" library which had been distributed in an encrypted form, which should itself have been a warning . Instead it took two months for supicions to emerge.
Bitpay's Copay wallet used the even-stream library, and Bitpay was in raising the alarm over this grave subversion of their product.
