“If you’re a cryptocurrency startup, would you face a huge backlash by hacking your own customers to keep their funds safe if you know that a hacker is about to launch an attack and steal their funds?” asks ZDNet:
This is exactly what happened yesterday when the Komodo Platform learned about a backdoor in one of its older wallet apps named Agama. Knowing they had little time to act, the Komodo team said it used the same backdoor to extract users’ funds from all impacted wallets and move them to a safe location, out of the hacker’s reach.
The tactic paid off, and 8 million Komodo coins and 96 bitcoins, worth nearly $13 million, were taken from users’ vulnerable accounts before the hacker could get a chance to abuse the backdoor and steal users’ funds… While initially, it did not make any sense for a library with a very limited feature-set to contain such an advanced functionality, after investigating the issue, npm staffers realized they were dealing with a supply-chain attack aimed at another app downstream, which was using the now-backdoored library… The npm team said the malicious code would work as intended and collect Agama wallet app seeds and passphrases, and upload the data to a remote server.
These malicious-payload updates are “becoming more and more popular,” according to a post on the official npm blog (a point they later emphasized in a press release).
“After being notified by our internal security tooling of this threat we responded by notifying and coordinating with Komodo to protect their users as well as remove the malware from npm.”