This is for the website- not for the code on github which RC said he used.
One of the main reasons this vulnerability was found was by comparing the two code bases, which revealed the addition of the malicious code.
From that medium article you posted in (2019):
'At this time, the code on GitHub is not malicious nor vulnerable, nor has it been malicious or vulnerable previously.'
Last checkin for that code on github appears to be 7 years ago.
Even if that code was compromised, if it was on an air gapped system theres no way it could have communicated the keys back to the malicious actors.
Something doesnt smell right here.
Okay I was about to remove my negative trust for this incident considering the refunds and finally revealing the software, but it still doesn't add up. If the github repo that raritycheck cited is not vulnerable, then there is more to the story. Surely after 7 years someone would have reported an issue on github.
It was pure luck. We wanted to try creating vanity addresses (1O) for VIBGYOR coins so we looked at multiple options.
In the end we didn’t end up creating vanity addresses
But still went with the software we trying to generate vanity addresses
We are currently trying to help every impacted customer.
Please note that we aim to reach out to every single one by Sunday evening.
Additionally, you stated that you used this software to generate vanity addresses, but it does not support generating vanity addresses. From what I can tell it offers no functionality above what bitaddress.org does except for supporting dead shitcoins.
I don't want to seem like we are being overly critical, and I want to commend you for refunding people, but the fact you waited this long to even give us the name of the software tells me you are still not sharing the full story.