The developers would have discovered a dangerous bug in the Copay wallets used by BitPay.
The module, called “Event-stream”, part of the Node.js program, is used by several applications including the widely used cryptocurrency wallets, which would have been compromised by a user who has been recklessly left with access to the Github repository.
This is what has been established after that @dominictarr, who has access to the repository, granted control of the module to another user.
How was the bug on Copay created?
After accessing the Github repository, the user inserted a malware into it that he then removed himself after 3 days, reporting it as a problem.
In this way, after the patch correction, the malware went unnoticed, but in the meantime, it was already installed on tens, if not hundreds, of thousands of wallets that were infected.
The use of open source libraries is very common in the world of software development and usually these products are created and maintained by hobbyists: these programmers are professionals paid by companies that have an interest in the development of the software itself, such as RedHat developing Linux interfaces that, instead of waiting for the new versions created freely, prefers to drive the development.
Of course, in this case, this working model is very risky for sensitive software such as cryptocurrency wallets, which can keep even large sums of money.