npm, Inc. Catches Malware Attempt, Helps Komodo Protect $13M in Cryptocurrency Assets

Sophisticated Attack via Malicious JavaScript Thwarted by Operators of npm registry

OAKLAND, Calif.--()--On Tuesday, June 4, the npm, Inc. security team, in collaboration with Komodo, helped protect over $13 million in cryptocurrency assets after finding and responding to a malware threat targeting the users of a cryptocurrency wallet called Agama. The attack focused on getting a malicious package into the build chain for Agama and stealing the wallet seeds and other login passphrases used within the application.

The attack was carried out by using a pattern that is becoming more and more popular: the attacker published a “useful” package (electron-native-notify) to the npm registry, waited until it was in use by the target, and then updated it to include a malicious payload.

npm, Inc.’s internal security tooling team identified the threat and immediately responded by notifying and coordinating with Komodo to protect their users, as well as removing the malware from npm. The Komodo cyber security team used the same exploit to gain control of the affected seeds and secure the funds at risk, sweeping approximately 8 million KMD and 96 BTC from the vulnerable wallets.

** If your wallet has not been swept, or you have other assets than KMD and BTC, Komodo strongly recommends moving all funds from Agama to a new address as soon as possible. **

npm operates the world's largest public registry of reusable, open source library packages. The JavaScript community as a whole has published more than one million packages to the registry to make them easily discoverable and freely accessible. More than 11 million JavaScript developers worldwide make 40 billion registry requests per month. Ninety-seven percent of the code in a typical web application is downloaded from the npm public registry.

The safety and security of this vast resource is critical to the JavaScript community at-large, and to all of the applications that depend on it. While the primary defense against bad actors and malicious code is policing by the community itself, npm Inc. as operator of the registry has a unique role with valuable insights into security threats and code vulnerabilities. The continuous research and vigilance of npm's 24/7 security team provides an additional layer of defense by detecting potential vulnerabilities the moment they are published and taking swift action to alert the community to risks. npm also provides mitigation strategies before downstream users and customers are compromised.

"The npm, Inc. team handled this vulnerability disclosure in an exemplary manner by providing us details that allowed the Komodo team to intervene and to significantly minimize the damage and potential impact,” Kadan Stadelmann, chief technology officer of Komodo. “We would like to thank all involved parties for this commendable collaboration and look forward to future collaborations."

Here is a brief demonstration (0:16 sec) showing the Agama wallet sending a wallet seed to a remote server:

  • After launching the wallet application on the left, the user will see a request to a remote server hosted on Heroku on the right which downloads the second stage payload.
  • Once in the wallet seed, the user will see another request to that remote Heroku server successfully stealing the wallet seed.

Users of npm will be automatically notified via npm audit if they encounter this malicious dependency in their projects.

npm audit performs moment-in-time security reviews of a project’s dependency tree, and can help fix security vulnerabilities by providing simple-to-run npm commands and recommendations for further troubleshooting. npm audit is fully backed by reports from the community and independent research performed by the npm security team.

“The npm registry is the supplier of much of the world’s JavaScript, so we see packages before anybody else, with a context that nobody else has,” said Adam Baldwin, vice president of security, npm, Inc. “That means our security team can often spot things no one else can. And when we do, we immediately take action.”

More info links:

Video example: https://www.youtube.com/watch?v=6Guadww8CnU&feature=youtu.be

Blog post: https://blog.npmjs.org/

Komodo statement: https://komodoplatform.com/vulnerability-discovered-in-komodos-agama-wallet-this-is-what-you-need-to-do/

Contacts

Skye Callan
npm, Inc.
skye@npmjs.com
(510) 858-7608

Contacts

Skye Callan
npm, Inc.
skye@npmjs.com
(510) 858-7608