electron-native-notify stole wallet seeds

electron-native-notify was a staged dependency attack, not a random poisoned package. npm described the pattern plainly: publish a useful module, wait until the target adopts it, then update the same module with the payload.

The timing was the story. The package appeared on npm on March 6, 2019; on March 8, GitHub user sawlysawly added electron-native-notify@^1.1.5 to Komodo's EasyDEX-GUI application, which fed into the Agama wallet. Fifteen days later, version 1.1.6 introduced the first malicious payload.

The malicious code reached out to updatecheck.herokuapp.com, downloaded a second-stage script, and waited for wallet material. When a user entered an Agama seed or passphrase, the dependency sent that secret to the attacker's remote server. That made the npm package a wallet-key thief, not a general-purpose backdoor.

Agama 0.3.5 shipped after the malicious release, and later electron-native-notify versions stayed unsafe until npm removed the package. npm privately notified Komodo on June 4, 2019 and coordinated removal and user protection.

The package-level record matters because the same artifact explains the downstream Agama loss. The Agama record carries the fund movement and user impact; this record carries the poisoned npm object, the staged adoption, and the registry timeline.

Motive

Credential Theft

Attribution

Person

Cause

Malicious Package

Transitive

Yes

Actor

Individual Hacker

• Malicious Package in electron-native-notifygithub.com
• Plot to steal cryptocurrency foiled by the npm security teamblog.npmjs.org
• Malicious Package in electron-native-notifynpmjs.com
• Update on Komodo's Agama Wallet Vulnerabilitykomodoplatform.com
• Malicious Package in electron-native-notifysecurity.snyk.io
• electron-native-notify 1.1.6 malicious codegist.github.com
• Electron native notifytag-security.cncf.io