This is for the website- not for the code on github which RC said he used.
One of the main reasons this vulnerability was found was by comparing the two code bases, which revealed the addition of the malicious code.
From that medium article you posted in (2019):
'At this time, the code on GitHub is not malicious nor vulnerable, nor has it been malicious or vulnerable previously.'
Last checkin for that code on github appears to be 7 years ago.
Even if that code was compromised, if it was on an air gapped system theres no way it could have communicated the keys back to the malicious actors.
Something doesnt smell right here.
The code on github seems to be clean, the site WAS compromised but as of now is not.
Now, note I said SEEMS clean, there might be something else that I missed, I am not a programmer nor do I pretend to be but since the github has been static for 7+ years as you pointed out I would *think* there is something else going on.
Because, if it really was bad, you would *think* there would be a lot more people with lost funds.
Good man. Will they now pull it off the site? I hope nobody else downloads it
As pointed out, if the code is bad on github it's been that way for a loooong time with no other issues that have been reported.
-Dave