Open Source 2019-04-13 · 53 days ·Backdoor, Remote Code Execution

Agama wallet dependency stole seeds

Komodo's Agama wallet pulled in a poisoned npm dependency that exported wallet seeds. Komodo and npm raced the thief, moving at-risk funds before more could be stolen.

Story

Agama was hit through its build chain, not through the Komodo blockchain. A GitHub contributor added electron-native-notify to the EasyDEX-GUI application used by Agama, then the npm package was updated with code that stole wallet seeds and passphrases.

The malicious package shipped before Agama's affected release. When users opened the wallet and entered a seed, the dependency contacted a remote server and stored the secret where the attacker could later use it. The payload was narrow and practical: steal the material that controls the coins.

npm privately notified Komodo on June 4, 2019. Komodo found that the attacker had already begun draining wallets, then used the same exposed seeds to sweep about 8 million KMD and 96 BTC into safe custody before the attacker could take them.

The response was unusual because it looked like theft until the context was known. The blockchain was not broken. The failure was dependency trust, pulled through a wallet build and converted into control over user funds.

Affected Artifacts

agama

github · github.com · repository · Binary Archive
Observed
2019-04-13 to 2019-06-05
Compromised Versions
Fixed
Not listed
Hashes
  • sha256:07f16d95f3c91dbd2ddf974d4b95d8dcec39b09b8906fa3b35e0a0da78fe8f76
  • Hash is retained from the malicious electron-native-notify package that entered Agama's build chain, not from an Agama release archive.
  • npm's incident timeline says electron-native-notify 1.1.6 introduced the payload on March 23, 2019 and Agama v0.3.5 followed on April 13.

Incident Context

Motive
Financial Gain
Attribution
Dependency
Cause
Malicious Dependency
Transitive
Yes
Actor
Compromised Dependency

External References

Source record: oss/attacks/agama/meta.yaml