The vulnerability only affects certain versions of the Copay wallet.

BitPay’s Copay wallet has been comprised, according to a November 26 announcement from the company, by malware that can potentially access private keys and be used to steal digital currency.

The malicious code appears to have first been identified last week on GitHub, although BitPay seems to have only become aware of the vulnerability after a separate GitHub issue was published yesterday, November 26.

According to the press release, JavaScript code used by both Copay and BitPay applications was modified to load the malware. The malicious code was installed on the 5.0.2 through 5.1.0 versions of BitPay’s Copay wallet. The BitPay smartphone app is not affected, and BitPay is still investigating to find out if any individual user accounts were compromised.

In the meantime, BitPay is urging its customers using the infected versions of the Copay wallet to not open the app and to assume their private keys have been compromised.

BitPay says it has released a security update, Copay wallet version 5.2.0, which will be accessible to all Copay and BitPay customers. The company is cautioning users to first update their wallet to the more secure 5.2.0 version before inputting their 12-word backup phrases because these phrases correspond to private keys that may have been compromised. Once their wallets have been updated, users should move their funds from affected wallets to the updated version.