A malicious developer, given access to a highly popular JavaScript code library legitimately, has apparently built in an exploit that allows access to Copay-derived wallets’ private keys. Patches are available for the exploit but caution must be taken when updating.