During the audit of the Agama wallet, designed to work with the Komodo cryptocurrency (KMD) and altcoins, npm experts discovered a dangerous vulnerability that threatened the security of users.Researchers have noticed a malicious update as part of the electron-native-notify library (version 1.1.6) – after the update, its code introduced functionality for stealing seed wallets and passphrases from cryptocurrency applications.
Experts did not immediately realize that they were dealing with an attack on the supply chain: the malicious library targeted application developers, who eventually incorporated the malicious product into their product.
This application was an Agama wallet, created by the Komodo team, and using EasyDEX-GUI in its work. EasyDEX-GUI, as it turned out, loaded the dangerous electron-native-notify library.
Although the malicious code appeared in electron-native-notify as early as in March 2019, it penetrated Agama only on April 13, 2019, with the release of Agama version 0.3.5. According to npm experts, the code of the intruders functioned as it was intended: it stole seeds and passwords and transmitted this data to a remote server. As a result, the campaign operators had the opportunity to steal Agama users’ funds.
When the problem became known, Komodo developers decided to act and urgently secure their users and their funds.
“The npm, Inc. security team, in collaboration with Komodo, helped protect over $13 million USD in cryptocurrency assets as we found and responded to a malware threat targeting the users of a cryptocurrency wallet called Agama”, — reported developers.
To do this, they exploited the same vulnerability as the attackers, eventually got at their disposal a lot of seed, and then took all money from the blow .
According to the official report, this way about 8,000,000 KMD tokens and 96 BTC were saved from vulnerable wallets. Otherwise, intruders could steal these tools. The funds were transferred to the wallets RSgD2cmm3niFRu2kwwtrEHoHMywJdkbkeF (KMD) and 1GsdquSqABxP2i7ghUjAXdtdujHjVYLgqk (BTC), where, as the developers assure, they are completely safe and controlled by the Kom team.
Here is a brief demonstration of the remote sending.
Users can request return of their tokens through a specially created page. It is also recommended to create new KMD and BTC addresses, to use new seed’s and password phrases.