Press release

npm, Inc. Catches Malware Attempt, Helps Komodo Protect $13M in Cryptocurrency Assets

Sponsored by Businesswire

On Tuesday, June 4, the npm, Inc. security team, in collaboration with
Komodo, helped protect over $13 million in cryptocurrency assets after
finding and responding to a malware threat targeting the users of a
cryptocurrency wallet called Agama. The attack focused on getting a
malicious package into the build chain for Agama and stealing the wallet
seeds and other login passphrases used within the application.

The attack was carried out by using a pattern that is becoming more and
more popular: the attacker published a “useful” package
(electron-native-notify) to the npm registry, waited until it was in use
by the target, and then updated it to include a malicious payload.

npm, Inc.’s internal security tooling team identified the threat and
immediately responded by notifying and coordinating with Komodo to
protect their users, as well as removing the malware from npm. The
Komodo cyber security team used the same exploit to gain control of the
affected seeds and secure the funds at risk, sweeping approximately 8
million KMD and 96 BTC from the vulnerable wallets.

** If your wallet has not been swept, or you have other assets than
KMD and BTC, Komodo strongly recommends moving all funds from Agama to a
new address as soon as possible. **

npm operates the world’s largest public registry of reusable, open
source library packages. The JavaScript community as a whole has
published more than one million packages to the registry to make them
easily discoverable and freely accessible. More than 11 million
JavaScript developers worldwide make 40 billion registry requests per
month. Ninety-seven percent of the code in a typical web application is
downloaded from the npm public registry.

The safety and security of this vast resource is critical to the
JavaScript community at-large, and to all of the applications that
depend on it. While the primary defense against bad actors and malicious
code is policing by the community itself, npm Inc. as operator of the
registry has a unique role with valuable insights into security threats
and code vulnerabilities. The continuous research and vigilance of npm’s
24/7 security team provides an additional layer of defense by detecting
potential vulnerabilities the moment they are published and taking swift
action to alert the community to risks. npm also provides mitigation
strategies before downstream users and customers are compromised.

“The npm, Inc. team handled this vulnerability disclosure in an
exemplary manner by providing us details that allowed the Komodo team to
intervene and to significantly minimize the damage and potential
impact,” Kadan Stadelmann, chief technology officer of Komodo. “We would
like to thank all involved parties for this commendable collaboration
and look forward to future collaborations.”

Here is a brief
(0:16 sec) showing the Agama wallet sending a wallet
seed to a remote server:

  • After launching the wallet application on the left, the user will see
    a request to a remote server hosted on Heroku on the right which
    downloads the second stage payload.
  • Once in the wallet seed, the user will see another request to that
    remote Heroku server successfully stealing the wallet seed.

Users of npm will be automatically notified via npm audit if they
encounter this malicious dependency in their projects.

npm audit performs moment-in-time security reviews of a project’s
dependency tree, and can help fix security vulnerabilities by providing
simple-to-run npm commands and recommendations for further
troubleshooting. npm audit is fully backed by reports from the community
and independent research performed by the npm security team.

“The npm registry is the supplier of much of the world’s JavaScript, so
we see packages before anybody else, with a context that nobody else
has,” said Adam Baldwin, vice president of security, npm, Inc. “That
means our security team can often spot things no one else can. And when
we do, we immediately take action.”

More info links:

Video example:

Blog post:

Komodo statement: