According to user feedback, Twitter GitHub and Hacker News, the malicious program in a dormant state by default, but when Copay is started (paid by bitcoin desktop and mobile client wallet application platform BitPay Development) will automatically activate. It will steal user information including private key, wallet, and will send it to the 8080 port copayapi.host.
During the period of September to November has confirmed that all versions of Copay wallet are considered to have been infected. Earlier today, BitPay team released Copay v5.2.2, Event-Stream and Flatmap-Stream dependency has been deleted. The malicious Event-Stream v3.3.6 has also been removed from the npm.org, but the Event-Stream library is still available. This is because Right9ctrl tried to remove his malicious code, released the follow-up version does not contain any malicious code Event-Stream.