On Tuesday, June 4, the npm, Inc. security team, in collaboration with Komodo, helped protect over $13 million in cryptocurrency assets after finding and responding to a malware threat targeting the users of a cryptocurrency wallet called Agama. The attack focused on getting a malicious package into the build chain for Agama and stealing the wallet seeds and other login passphrases used within the application.
“The npm, Inc. team handled this vulnerability disclosure in an exemplary manner by providing us details that allowed the Komodo team to intervene and to significantly minimize the damage and potential impact”
The attack was carried out by using a pattern that is becoming more and more popular: the attacker published a “useful” package (electron-native-notify) to the npm registry, waited until it was in use by the target, and then updated it to include a malicious payload.
npm, Inc.’s internal security tooling team identified the threat and immediately responded by notifying and coordinating with Komodo to protect their users, as well as removing the malware from npm. The Komodo cyber security team used the same exploit to gain control of the affected seeds and secure the funds at risk, sweeping approximately 8 million KMD and 96 BTC from the vulnerable wallets.
If your wallet has not been swept, or you have other assets than KMD and BTC, Komodo strongly recommends moving all funds from Agama to a new address as soon as possible. **
“The npm, Inc. team handled this vulnerability disclosure in an exemplary manner by providing us details that allowed the Komodo team to intervene and to significantly minimize the damage and potential impact,” Kadan Stadelmann, chief technology officer of Komodo. “We would like to thank all involved parties for this commendable collaboration and look forward to future collaborations.”
Here is a brief demonstration (0:16 sec) showing the Agama wallet sending a wallet seed to a remote server:
- After launching the wallet application on the left, the user will see a request to a remote server hosted on Heroku on the right which downloads the second stage payload.
- Once in the wallet seed, the user will see another request to that remote Heroku server successfully stealing the wallet seed.
Users of npm will be automatically notified via npm audit if they encounter this malicious dependency in their projects.
npm audit performs moment-in-time security reviews of a project’s dependency tree, and can help fix security vulnerabilities by providing simple-to-run npm commands and recommendations for further troubleshooting. npm audit is fully backed by reports from the community and independent research performed by the npm security team.