agama
Agama wallet compromised via malicious dependency backdoor
The Agama cryptocurrency wallet application inadvertently included a compromised version of the `electron-native-notify` NPM package (v1.1.6) as a dependency in its builds. This resulted in official Agama wallet releases containing a backdoor (reverse shell) inherited from the dependency, potentially allowing attackers remote access and theft of wallet seeds or private keys.
- Date
- 2018-08-01 to 2018-08-13
- Category
- Open Source
- Target Surface
- Revision control
- Insertion Phase
- dependency
- Impact
- Backdoor
- Cause
- Malicious Dependency
What Was Affected
Package
agama
LanguageJavascript
ComponentApplication
Artifact typebinary archive
Domain typecode host
Domain
github.com
Repository
github.com/KomodoPlatform/Agama
Compromised Versions
- 0.3.3
- 0.3.4
Incident Context
- Motive
- Financial gain
- Attribution
- Compromised Dependency
- Transitive
- Yes
- Observed Duration
- 12 days
Evidence
Compromised Artifacts
- pkg:github/KomodoPlatform/Agama@v0.3.3
- pkg:github/KomodoPlatform/Agama@v0.3.4
Current Artifacts and Analysis
Indicators and Changes
Hashes
sha256:07f16d95f3c91dbd2ddf974d4b95d8dcec39b09b8906fa3b35e0a0da78fe8f76
External References
Source Data
Source record: oss/agama/meta.yaml