Cryptocurrency attack thwarted by npm team

The attacker injected malicious code into Agama, a cryptocurrency wallet created by Komodo. If successful, they could have stolen around $13m of …

Cryptocurrency users narrowly escaped losing all their funds last week after an attacker poisoned a digital wallet with malicious code that stole their blockchain access details.

The attacker injected malicious code into Agama, a cryptocurrency wallet created by Komodo. If successful, they could have stolen around $13m of Komodo’s KMD cryptocurrency, which is a privacy-centric coin. Luckily, they were thwarted by quick action from both Komodo and software repository npm.

On 8 March 2019, the sneaky developer published what appeared to be a useful update to a software component used by the Agama wallet. The attacker, who called themselves ‘sawlysawly’, posted the update on the GitHub developer collaboration website where Komodo hosts its source code.

Open source developers like to reuse each others’ software rather than reinventing the wheel. When a software application relies on a third party to do something, it’s called a dependency. The third-party building blocks on which applications depend are known as packages or modules, and people publish them in central repositories for developers to find. One of those repositories is npm. Started in 2009, it deals with JavaScript packages.

An npm package called electron-native-notify was introduced by sawlysawly as a dependency in the Agama wallet, meaning that the new version of the wallet would use that code.

At the time of the commit, the version of electron-native-notify (1.1.5) on npm was legit, but 15 days after making the commit, the npm package was updated to 1.1.6, which included a malicious payload. The next version of Agama was released on 13 April 2019.

The change in electron-native-notify enabled the attacker to steal the wallet seed, which is a secret phrase that enables users to retrieve their coins using any wallet.

Wallet seeds are a great way to get at your coins from anywhere, meaning that if your hard disk crashes and your wallet is erased, you can still get your coins back (unlike this guy). The downside is that if anyone gets your seed, they can use it to pilfer your cryptocurrency by accessing your addresses and transferring the coins out.

The attacker configured the malicious code to copy the seed phrases from infected Agama wallets to a public server. That way, the attacker could visit the site and access the seeds, but no one could pin the crime on them. They then began emptying peoples’ accounts, said Komodo.

The npm team discovered the problem in early June after its own security analysis software alerted it. It told Komodo, which then raced to secure the vulnerable funds. It used the seeds stored on the public server to retrieve the compromised funds, moving them to a secure wallet.

This was a well thought out attack, explained Komodo in its own post on the topic:

It now seems clear that the bug was created intentionally to target Komodo’s version of Agama wallet. A hacker spent several months making useful contributions to the Agama repository on GitHub before inserting the bug. Eventually, the hacker added malicious code to an update of a module that Komodo’s Agama was already using.

The company has begun returning coins, urging affected users to fill out an online form. It has prioritised accounts with smaller amounts, under 7777 KMD, promising to return these accounts’ funds by 15 June. As of Sunday 9 June, it explained on its Discord channel that it had returned these users’ KMD in full, amounting to around $1m in funds, beating its own deadline by a week. Now it can begin on the larger accounts.

Komodo was eager to point out that only the Komodo Agama wallet was affected, and that another version of Agama, supporting a different Komodo project called VerusCoin, was not affected.

This shows how important it is for developers to test any third-party package on which their software depends. The more dependencies you use, the larger your potential attack surface becomes. Repositories can do some of the security work, but then you’re relying on a third party working on its own schedule to verify the software that you’re using. Props to npm for flagging this when it did, and to Komodo’s team for acting so quickly to fix the issue.

Related Posts:

  • No Related Posts

Statista Study Shows 36 Million Crypto Wallets Created, Steady on the Rise Regardless of Prices

Anyone who wants tog et involved in cryptocurrency in any way needs to get themselves a good cryptocurrency wallet. It is the means by which you …

Statista, a company that publishes market and consumer data on a quarterly level every three years, has released a report on the number of cryptocurrency wallets worldwide.

The number has jumped in the last three years from 6.7 million, the figure from Q1 2016, to the current quarter in Q1 2019 that sits at 34.6 million. There has been a constant increase every quarter, with particular jumps in Q4 2017 and Q1 2019.

The highest peaks came at the times that most people would predict, even with a cursory knowledge of the cryptocurrency landscape. These were the last month of Q1, where 2 million new wallets were created and in Q4 of 2017 when the number of wallets jumped by about 2.5 million.

The total number of wallet users at the end of April 2019 was measured as 36.6 million according to calculations done by and their estimation the number was only 5800 at the end of April 2012. This shows that despite the numerous setbacks that cryptocurrency has faced in the last seven years, the number of active users has increased dramatically along the way.

Choosing A Good Wallet Is Important

Anyone who wants tog et involved in cryptocurrency in any way needs to get themselves a good cryptocurrency wallet. It is the means by which you store your coins, but it also acts as the method by which you receive payment and pay others. Where you place your priorities will help you decide what type of wallet you will be using.

Hardware wallets, for instance, offer greater security. Trezor and Ledger are two great examples of hardware wallets. There are also desktop wallets such as Jaxx and Exodus that can be looked at if you want a less secure option.

The lest secure option would be an online wallet such as the option offered by Coinpayments. Mobile wallets have also come far along since the dawn of crypto and there are a number of them that are available. One of the more popular mobile wallets is Edge and its popularity is well earned. also offers a relatively safe and popular wallet. All the wallets mentioned so far support multiple currencies. However, if you are prioritizing a light wallet, that does not use up too many resources but is available on various different platforms, then the Wallet might be your cup of tea.

It is available on Windows, Mac, and Linux and is an open-source wallet that supports both Bitcoin (BTC) and Bitcoin Cash (BCH). Their wallet allows you to store and buy both the cryptocurrencies mentioned before.

Sending and receiving the two is also possible with this featherweight wallet. It’s great because it allows users to buy Bitcoin directly with a credit card, something that is only usually offered when you keep your wallet with a third party. It is available to people in the US, the UK and the European Union.

There is one more perk of using the Wallet and that is because it is a non-custodial wallet. That simply means you are in control of your funds 100%. In the last two years, over 4 million people have started using the Wallet which means that 2 million people every year trust their cryptocurrency with this platform.

There is also a built-in wallet with the Opera browser for Android. While it might not be the safest bet you’ll make, it could be a great little tool to have if you already use Opera. It might even tempt some to move to Opera. It all depends on how you feel about a mobile wallet that is front and center when you’re browsing.

Many in the information security industry would balk at using a wallet that is baked into a browser as browsers are the front line for any malware attacks. However, it could be that they will start a trend with other browsers following suit.

Cash Account Protocol Becoming Popular

There is a new protocol and it is slowly being adopted by more and more wallet apps, particularly mobile ones. The latest to adopt the Cash Account protocol is a new open source wallet called Crescent Cash.

It facilitates the sending and receiving of Bitcoin Cash to a specific username, rather than a complicated alphanumeric address. The key feature, however, is that Cresent Cash will support Cash Accounts by default. You don’t need to fiddle about with settings. It will be set up as soon as you install the wallet.

Related Posts:

  • No Related Posts

Trust Wallet enables WalletConnect for connecting to desktop DApps

Trust Wallet, the official cryptocurrency wallet of Binance with built-in DApp browser, today announced a new feature, WalletConnet, an open protocol …

Trust Wallet, the official cryptocurrency wallet of Binance with built-in DApp browser, today announced a new feature, WalletConnet, an open protocol for connecting desktop DApps to mobile wallets using end-to-end encryption.

This means that Trust Wallet is now integrated with Binance DEX through WalletConntect. Users just need to scan the WalletConnect QR code shown on, and can then easily link up their wallet with the DEX.

WalletConnect allows all Trust Wallet users to interact with any DApp without compromising recovery phrases or private keys, as users are notified to approve all transaction requests directly from their mobile device.

“WalletConnect enables a much easier and more secure user experience across all blockchains and brings us one step closer to our core mission goal: to make crypto more accessible. This technology is opening up a whole world of DApps that were once only available to Desktop users.”

Trust Wallet Founder and CEO Viktor Radchenko

“Excited to see Trust Wallet supporting WalletConnect, bringing the future of the mobile experience on Ethereum to all of its users. We look forward to this new user experience across the top decentralized applications on Ethereum and other blockchains.”

Pedro Gomes, Creator of WalletConnect

Trust Wallet supports Bitcoin, Ethereum, Litecoin, Tron, XRP, all ERC-20 tokens, and many other cryptocurrencies. Enabling WalletConnect allows mobile users to experience DApps that were previously only available on desktop. This is an important next step in continuing with the greater Trust Wallet mission to make its multi-asset wallet as easy-to-use and accessible as possible.

Related Posts:

  • No Related Posts

Altcoin News: Dogecoin Now Supported by Coinbase

According to Coinbase, the addition of the virtual asset is in line with its goal to offer customers a world-leading user-custodied cryptocurrency wallet …
  • Coinbase announces support for Dogecoin cryptocurrency for its crypto wallet app
  • The exchange to also support DOGE testnet tokens for developers on the DOGE network

Coinbase, a San Francisco based cryptocurrency exchange founded in 2012 announced this Wednesday that its Coinbase Wallet app for Android and iOS now supports Dogecoin as well as DOGE Testnet in a bid to meet its goal to create the world’s leading user-custodied cryptocurrency wallet.

Per the blog post, Coinbase Wallet app now supports the storage of Dogecoin, the 27th largest cryptocurrency by market capitalization according to Coinmarketcap’s platform. Dogecoin has historically struggled to find listings on larger exchanges, as it has no team to pay listing fees for it.

As a result, a new wallet update will be rolled out to Android and iOS devices over next week and it will also support DOGE Testnet in order to aid developers and power users.

According to Coinbase, the addition of the virtual asset is in line with its goal to offer customers a world-leading user-custodied cryptocurrency wallet which currently supports Bitcoin, Ethereum, and over 100 ERC20 and ERC71 tokens based on the Ethereum blockchain.

The Coinbase Wallet app differs from the primary Coinbase app, app since it allows a user to store their own private keys which can be used to access their wallet.

On that note, the digital exchange platform stated that a Secure Enclave technology is used to encrypt the private keys on the user’s phone in order “to bring you best-in-class security.” The hardware employed is also the most secure way of safeguarding sensitive data on smartphones.

On the contrary, app enables customers to buy cryptocurrency while Coinbase stores the private key to the wallet on their behalf. As such, the Coinbase Wallet app ensures that only the owner of the funds know their private key and retains full control of it.

Much ado about Coinbase

Coinbase has made the headlines frequently in the past few weeks due to the recent developments on its platforms.

On April 10, 2019, the U.S. based company announced its launch of a Visa Debit card for U.K customers which will enable them to make daily purchases in the real world using their cryptocurrency.

Blockchain Reporter on April 18, 2019, also informed of Coinbase for support for Augur (REP) token on its platform which will enable its customers to buy, sell, convert, send, receive and store the virtual asset.

A more recent report on April 24, 2019, revealed that Coinbase is shutting down its office in Chicago and has taken a step back from the launch of its matching machine.


Related Posts:

  • No Related Posts

HTC set to launch new bockchain phone in H2 2019

The device features its own cryptocurrency wallet that makes the phone function as a hardware digital currency wallet that can also store private keys.
HTC set to launch new bockchain phone in H2 2019

HTC, the Taiwan-based smartphone maker, is planning to release another blockchain handset, after its first model, the Exodus 1, has achieved some success since its launch.

Second generation

As reported by local news outlet Taiwan News, the launch, which is scheduled for the second half of the year, is aimed at increasing the Taiwanese company’s presence in the global blockchain market. The move was announced by HTC’s decentralised chief officer Phil Chen during a speech at an investment trend forum held in Taipei last Friday. During the speech, Chen expressed optimism about the future of blockchain, saying that while the technology was still in its early stages of development, it could one day unlock tremendous commercial potential. He added that the core strength of the technology is its ability to provide accessibility to data while ensuring the privacy of users.

HTC launched its first blockchain phone, the Exodus, in October, with Chen saying at the time that boosting user privacy was the company’s primary motivation for the move. The device features its own cryptocurrency wallet that makes the phone function as a hardware digital currency wallet that can also store private keys.

“And the reason why you do a blockchain phone is … for everybody just to own their own keys. Everything starts there. When you start owning your own keys, then you can start owning your own digital identity, then you can start to own data,” Chen said in an interview with CNBC at the time.

Last Friday, Chen indicated that the phone has so far enjoyed some success, with its sales meeting the company’s expectations. He also revealed that the second generation would have expanded blockchain capabilities.

“In addition to supporting the management of cryptocurrencies and related transactions, and virtualized personal electronics wallet seen in the prior generation, the new phone will extend its blockchain apps to include other areas such as browsing, messaging, and social media,” Chen said, as quoted by media outlet DigiTimes.


HTC’s efforts are part of a nascent trend of phone manufacturers launching blockchain-ready products. One of the first companies to take steps in that direction was a start-up called Sirin Labs, which last November launched its first product, the Finney handset. Unlike HTC, however, Sirin has struggled to find success since the phone’s launch. Media outlet last month reported that the company had laid off a quarter of its staff as sales failed to meet expectations.

South Korea’s consumer electronics giant Samsung appears poised to be a more formidable competitor to HTC in this space. Already one of the largest phone makers on the market, Samsung included blockchain features, such as crypto wallet and private key storage in its latest flagship device, the Galaxy S10.

More Resources

Add Comment Cancel reply

Related Posts:

  • No Related Posts