Someone slipped a vuln into crypto-wallets via an NPM package. Then someone else siphoned off $13m in coins to protect it from thieves

What a wild ride, eh Komodo?

DOor to a bank vault. Photo by Shutterstock

Blockchain biz Komodo this week said it had used a vulnerability discovered by JavaScript package biz NPM to take control of some older Agama cryptocurrency wallets to prevent hackers from doing the same.

The digital currency startup said it had socked away 8 million KMD (Komodo) and 96 BTC (Bitcoin) tokens – worth about almost $13m – from the wallets, and stashed them in two digital wallets under its control, where the assets await reclamation by their owners.

Komodo has outlined which Agama wallets are affected on its support page, and said it intends to provide details about the vulnerability and a postmortem once it has done what's necessary to secure customer funds.

It received word of the exploitable security weakness from NPM, which detected the vulnerability through its source code scanning system. Over the past few years, the JavaScript custodian has been beefing up its security vulnerability detection capabilities following several security incidents.

In a blog post about how the vulnerability ended up in the Agama source code, NPM said the situation fit a pattern that has become common: publishing a useful package – in this case, electron-native-notify – and waiting until it gets integrated into a target application and then updating it with malicious code to steal information or worse.

"This attack focused on getting a malicious package into the build chain for Agama and stealing the wallet seeds and other login passphrases used within the application," explained Adam Baldwin, VP of security at NPM.

Baldwin said the vandalism originated with a commit by GitHub user sawlysawly on March 8 that added electron-native-notify ^1.1.5 as a dependency in EasyDEX-GUI, which is used in Agama. On March 23, electron-native-notify was updated to version 1.1.6 with malicious code.

Agama v0.35, with the compromised code, was released on April 13 and three days later, electron-native-notify was updated to 1.2.0 and sawlysawly thereafter revised Agama's dependencies to require that version of the library.

bitcoin

Bucharest's Bayrob boys blasted based on bogus buys, Bitcoin banditry, bound to be behind bars

READ MORE

The incident recalls a similar attack last year on the event-stream module, which saw one of its dependencies altered to steal Bitcoin.

A research paper [PDF] published in February, "Small World with High Risks: A Study of Security Threats in the npm Ecosystem," found that "installing an average npm package introduces an implicit trust on 79 third-party packages and 39 maintainers" and that up to 40 per cent of the registry's 800,000 packages include at least one publicly known vulnerability.

Compromising just one popular npm package, the paper says, can affect as many as 100,000 more packages.

Baldwin reassured users of npm that the npm audit command will identify known malicious packages in code projects.

NPM's flaw finding service will also notify users of packages with vulnerabilities. The subcommand npm audit fix may replace a vulnerable module with a patched version, if available. But manual review may be necessary and there may not be a fix available for insecure modules. ®

Sponsored: From CDO to CEO

SUBSCRIBE TO OUR WEEKLY TECH NEWSLETTER




Biting the hand that feeds IT © 1998–2019