Skip Navigation
Resources Blog Malicious Code Injection Strikes Again as npm Foils $13M ...

Malicious Code Injection Strikes Again as npm Foils $13M Cryptocurrency Theft

The npm security team, in collaboration with Komodo, just prevented the theft of $13M USD worth of cryptocurrency held in Agama wallets this week.

The malicious code injection attack was aimed at Agama’s build chain. In this case, the adversary submitted harmless changes to the npm open source package and waited patiently -- 15 days -- for Agama to incorporate the package in their software supply chain and build lifecycle. Once the package was recognized in external Agama releases, the hackers updated the package with malicious code that would enable them to claw out and steal users’ wallet seeds and passphrases.

Fortunately, npm’s security team was able to notify the Komodo platform. Together, the security teams were quickly able to disable the component. Komodo then released a statement to instruct Agama wallet users how to take further protective measures.

“Satashi Naka-no-mo”? Hardly.

From the mysterious origins of “Satashi Nakamoto” has arisen a rapidly growing ecosystem of alternative currencies. These currencies are growing in use and demand. How that will play out is anyone’s guess.

One thing is certain: cryptocurrency has always been a target for theft. As it grows in value, so too does it grow as an attractive target. 

Concurrently, the cryptocurrency environment is built on open source software throughout the software supply chain. Every application that works to make the buy, sale, and trade of crypto-assets “consumer-friendly” is built by developers who assemble it from freely available open source software components.

The Increasing Trend of Malicious Component Injection

Over the past two years, a dangerous new trend has emerged. Specifically, a series of 15 events have triangulated a serious escalation of software supply chain attacks. Adversaries are taking advantage of a new attack vector where they are directly injecting vulnerabilities into open source project releases and container images. This latest attack on Agama represents the 16th chapter in this story.

One thing is clear. We’re going to see more attacks like this one, not fewer.

What Your Team Can Do Today

You don’t have to own cryptocurrency -- or even care about it -- to appreciate the significant ramifications of how this attack happened. 

Simply put, malicious code was inserted into the public npm repository used by millions of developers, and which serves billions of code package downloads each week to software supply chains around the globe.

When used by adversaries as a malicious code injection path, the pathway from public package repositories to development teams subverts the trust of the open source community.

No matter what kind of software you use, it is crucial to know what it is made of -- including its dependencies and known vulnerabilities. Only then can you protect the valuable: your identity, your data, and yes, even your cryptocurrency. 

As our CTO Brian Fox says, “knowing what’s in your application and having accurate and granular visibility into code dependencies is the first and most important step toward building secure software.”

To find out if your own application contains known vulnerable open source components, we invite you to use our free Nexus Vulnerability Scanner. It will deliver a complete software bill of materials to you, including alerts on components with known security vulnerabilities or license risk.


Picture of Derek Weeks

Written by Derek Weeks

Derek serves as vice president and DevOps advocate at Sonatype and is the co-founder of All Day DevOps -- an online community of 65,000 IT professionals.