We use cookies to ensure you get the best experience on our website.Read moreRead moreGot it

close
  • Products
    • Products
      • Snyk Open Source
        Avoid vulnerable dependencies
      • Snyk Code
        Secure your code as it’s written
      • Snyk Container
        Keep your base images secure
      • Snyk Infrastructure as Code
        Fix misconfigurations in the cloud
    • Platform
      • What is Snyk?
        See Snyk’s developer-first security platform in action
      • Developer Security Platform
        Secure all the components of the modern cloud native application in a single platform
      • Security Intelligence
        Access our comprehensive vulnerability data to help your own security systems
      • License Compliance Management
        Manage open source license usage in your projects
    • Self-paced security education with Snyk Learn
  • Resources
    • Using Snyk
      • Documentation
      • Vulnerability intelligence
      • Product training
      • Customer success
      • Support portal & FAQ’s
    • learn & connect
      • Blog
      • Community
      • Events & webinars
      • DevSecOps hub
      • Developer & security resources
    • Self-paced security education with Snyk Learn
  • Company
    • About Snyk
    • Customers
    • Partners
    • Newsroom
    • Snyk Impact
    • Contact us
    • Jobs at Snyk We are hiring
  • Pricing
Log inBook a demoSign up
All articles
  • Application Security
  • Cloud Native Security
  • DevSecOps
  • Engineering
  • Partners
  • Snyk Team
  • Show more
    • Vulnerabilities
    • Product
    • Ecosystems
Application SecurityEcosystemsVulnerabilities

Yet another malicious package found in npm, targeting cryptocurrency wallets

Simon MapleJune 17, 2019

Cryptocurrency wallet developer Komodo has been in the news recently as the most recent victim of an attempted cryptocurrency attack by malicious code injection via npm dependencies. The EasyDEX-GUI project which provides a graphical user interface (GUI) to SuperNET/Iguana cryptocurrency APIs and is used by Komodo’s Agama wallet has been found to contain a malicious package named electron-native-notify. This was disclosed via a GitHub commit against the source repo by GitHub user sawlysawly. It is estimated that there are approximately $13 million USD in cryptocurrency stored in the Agama wallets, a portion of which could have been stolen, had the npm security team not acted when they did.

We at Snyk have now added the malicious package to our vulnerability database. If your project is being monitored by Snyk and we find the malicious dependency (any version of electron-native-notify), you will be notified via Snyk’s routine alerts.

If your projects are not monitored by Snyk and you’d like to test them for the use of this package you can do so below, or by using our CLI to test your projects locally.

Test your application for free

 

By submitting this form you consent to us emailing you occasionally about our products and services.
You can unsubscribe from emails at any time, and we will never pass your email onto third parties. Privacy Policy

The timeline of events

6 March 2019: Non-malicious electron-native-notify package is added to npm at version 1.0.0.

8 March 2019: 9 minor releases later, electron-native-notify v1.1.5 is published to npm

8 March 2019: User sawlysawly added a commit that added the electron-native-notify dependency to the EasyDEX-GUI project at version “^1.1.5”. EasyDEX-GUI is used by the Agama wallet which was affected.

23 Mar 2019: Malicious version of electron-native-notify package published to npm at version 1.1.6

Sometime between 16 Apr and 11 May 2019: The Agama Wallet is rebuilt and published, using the most recent version of the electron-native-notify library, which at the time is 1.2.0

4 June 2019: The npm security staff and Komodo removed the malicious dependency from the EasyDEX-GUI projects and pulled the package from npm, replacing it with a clean security version.

5 June 2019: npm and Komodo publicly announce the security flaws to their users.

The impact

The malicious code sends an HTTP GET request to a Heroku endpoint, https://updatecheck.herokuapp.com/check, reportedly downloading a payload that further executes and sends the wallet seed to the same server. The npm team created a video that shows this in action:

I’m affected, what should I do next?

Your immediate priority should be to check if you are using the malicious library in question. If so, future builds of your application will fail, but any previously deployed applications likely contain (and are potentially executing) the malicious code.

If your project is being monitored by Snyk, you will be notified via Snyk’s routine alerts should your application contain this malicious package.

If however, you are not monitoring your projects with Snyk (yet!) you can run a one-off test, by clicking here to test your repositories, or by using our CLI to test your projects locally.

If you’re a user of the Amama wallet, or you have other assets than KMD and BTC, Komodo strongly recommends moving all funds from Agama to a new address as soon as possible. They list safe wallets and provide information about moving on their support page.

Log4Shell resource center

We’ve created an extensive library of Log4Shell resources to help you understand, find and fix this Log4j vulnerability.

Browse Resources
Footer Wave Top
Patch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo Segment
Develop Fast.
Stay Secure.
Snyk|Open Source Security Platform
Sign up for freeBook a demo

Product

  • Developers & DevOps
  • Vulnerability database
  • Pricing
  • Test with GitHub
  • API status
  • IDE plugins
  • What is Snyk?

Resources

  • Snyk Learn
  • Blog
  • Security fundamentals
  • Resources for security leaders
  • Documentation
  • Snyk API
  • Disclosed vulnerabilities
  • Open Source Advisor
  • FAQs
  • Website scanner
  • Japanese site
  • Audit services
  • Web stories

Company

  • About
  • Snyk Impact
  • Customers
  • Jobs at Snyk
  • Snyk for government
  • Legal terms
  • Privacy
  • Press kit
  • Events
  • Security and trust
  • Do not sell my personal information

Connect

  • Book a demo
  • Contact us
  • Support
  • Report a new vuln

Security

  • JavaScript Security
  • Container Security
  • Kubernetes Security
  • Application Security
  • Open Source Security
  • Cloud Security
  • Secure SDLC
  • Cloud Native Security
  • Secure coding
  • Python Code Examples
  • JavaScript Code Examples
Snyk|Open Source Security Platform

Snyk is a developer security platform. Integrating directly into development tools, workflows, and automation pipelines, Snyk makes it easy for teams to find, prioritize, and fix security vulnerabilities in code, dependencies, containers, and infrastructure as code. Supported by industry-leading application and security intelligence, Snyk puts security expertise in any developer's toolkit.

Resources

  • Snyk Learn
  • Blog
  • Security fundamentals
  • Resources for security leaders
  • Documentation
  • Snyk API
  • Disclosed vulnerabilities
  • Open Source Advisor
  • FAQs
  • Website scanner
  • Japanese site
  • Audit services
  • Web stories

Track our development

© 2022 Snyk Limited
Registered in England and Wales
Company number: 09677925
Registered address: Highlands House, Basingstoke Road, Spencers Wood, Reading, Berkshire, RG7 1NT.
Footer Wave Bottom