The "popular" node.js "event-stream" library was loaded with a module stealing from Bitpay's Copay Bitcoin wallet after creator and longtime maintainer Dominic Tarr handed maintenance over to an unknown identifying itself with the text string "right9ctrl" (archived). Before the handover right9ctrl made a couple of contributions to event-stream building rapport with Tarr. After getting the keys to the repository right9ctrl added a dependency in event-stream on a new "flatmap-stream" library which had been distributed in an encrypted form, which should itself have been a warning if anyone had been bothering to read code they run. Instead it took two months for supicions to emerge.
Bitpay's Copay wallet used the even-stream library, and Bitpay was not involved in raising the alarm over this grave subversion of their product.