This is an extremely popular library, with more than two million weekly downloads. However, about three months ago, the author of Event-Stream transferred the library to another developer - Right9ctrl. Thanks to the vigilant user managed to install - Right9ctrl immediately introduced its malicious code into the development. The malicious component was seen in Event-Stream 3.3.6.
According to Twitter users, GitHub and Hacker News, the malicious code is in a state of "hibernation" until it is used inside the Copay source code (the desktop and mobile application acting as a wallet developed by the BitPay platform).
Once the malicious code gets into Copay, it will steal all user information, including private keys, and send it to copayapi.host on port 8080.