The digital currency startup said it had socked away 8 million KMD (Komodo) and 96 BTC (Bitcoin) tokens – worth about almost $13m – from the wallets, and stashed them in two digital wallets under its control, where the assets await reclamation by their owners.
Komodo has outlined which Agama wallets are affected on its support page, and said it intends to provide details about the vulnerability and a postmortem once it has done what's necessary to secure customer funds.
In a blog post about how the vulnerability ended up in the Agama source code, NPM said the situation fit a pattern that has become common: publishing a useful package – in this case,
electron-native-notify – and waiting until it gets integrated into a target application and then updating it with malicious code to steal information or worse.
"This attack focused on getting a malicious package into the build chain for Agama and stealing the wallet seeds and other login passphrases used within the application," explained Adam Baldwin, VP of security at NPM.
Baldwin said the vandalism originated with a commit by GitHub user sawlysawly on March 8 that added
electron-native-notify ^1.1.5 as a dependency in EasyDEX-GUI, which is used in Agama. On March 23,
electron-native-notify was updated to version 1.1.6 with malicious code.
Agama v0.35, with the compromised code, was released on April 13 and three days later,
electron-native-notify was updated to 1.2.0 and sawlysawly thereafter revised Agama's dependencies to require that version of the library.
Bucharest's Bayrob boys blasted based on bogus buys, Bitcoin banditry, bound to be behind barsREAD MORE
The incident recalls a similar attack last year on the
event-stream module, which saw one of its dependencies altered to steal Bitcoin.
A research paper [PDF] published in February, "Small World with High Risks: A Study of Security Threats in the npm Ecosystem," found that "installing an average npm package introduces an implicit trust on 79 third-party packages and 39 maintainers" and that up to 40 per cent of the registry's 800,000 packages include at least one publicly known vulnerability.
Compromising just one popular npm package, the paper says, can affect as many as 100,000 more packages.
Baldwin reassured users of npm that the
npm audit command will identify known malicious packages in code projects.
NPM's flaw finding service will also notify users of packages with vulnerabilities. The subcommand
npm audit fix may replace a vulnerable module with a patched version, if available. But manual review may be necessary and there may not be a fix available for insecure modules. ®