Each month, MetaMask reports on the global crypto security news that you need to know about. Dive into the action below.
But first... meet our STEM pioneer of the month!👩🔬
Alonzo Church was key to formulating the Church-Turing thesis with his mentee Alan Turing. He was also known for developing lambda calculus, which established theoretical framework for computer science.
🦊 What we’ve been up to 🦊
🌋 Meet our new LavaMoat tool, Kipuka
Kipuka is a security tool designed to protect developers from harmful npm packages. Specifically, it aims to decrease the likelihood of successful attacks where a malicious npm package tries to harm or compromise a developer's local machine when the package is installed, or is used during development. With increasing popularity of stealer malware, and desktop-targeting worms distributed within npm packages, kipuka aims to make the attacks ineffective even if they’re not limited to install scripts.
Putting dev environments in containers or Virtual Machines (VMs) is nothing new. What makes Kipuka unique is, once installed, it transparently runs your calls to npm cli (or other package managers) in containers, without the need to remember to set up or start a secure environment.
Get early access, and test it out for compatibility with various workflows and configurations before its beta release!
LavaMoat Webpack Plugin compatibility update
The LavaMoat Webpack Plugin also received an update, increasing its compatibility with Webpack features, browser capabilities, and the ecosystem. The plugin is now out of beta. Adopt it in your Web UI projects today, and be sure to stay in the know with all of our LavaMoat latest releases here.
Meanwhile…
FUD that Google will be banning all non-custodial wallets from app stores is false!
In mid-August, rumors began circulating on CT that Google would soon be banning non-custodial wallets from its App store. Not so, and debunked by Google itself! TL;DR: MetaMask is here to stay.
Coinbase pushes for ZK-powered Anti Money Laundering overhaul after 70K customer data hack
Just a few months after suffering a major data breach that affected nearly 70,000 customers, Coinbase is now pointing to cryptographic privacy tools as a potential fix for what it calls “arcane” financial crime laws. The Bank Secrecy Act (BSA) is “still rooted in decades-old requirements that reflect paper-based compliance protocols and a financial system in which funds moved over days, not seconds,” explains Coinbase’s Chief Legal Officer, Paul Grewal.
“Beyond the annoyance customers feel every time they repeat the KYC process, these personal files are honeypots for criminals. Companies are required by law to hold your data for years and to send that data to bureaucrats.” While Coinbase isn’t directly blaming the BSA Act for its data leak, it appears as though the company is trying to shift the narrative into a broader discussion about BSA regulatory requirements, and their associated risks. We’ll keep you posted on how this plays out…
Turkey detains crypto researcher
Following Tornado Cash developer Roman Storm’s trial and conviction in Turkey, a researcher known as Fede’s Intern, aka Federico Carrone, was taken into custody by Turkish airport agents while trying to enter the country. He was detained due to a case filed by the Minister of Internal Affairs that accused him of helping people misuse Ethereum. Seemingly, his only connection to the matter is a paper he wrote exploring de-anonimization techniques for Tornado Cash. Carrone never developed any privacy features for Tornado Cash.
“The Minister of Internal Affairs had filed a case accusing me of helping others misuse Ethereum, allegedly in connection with a privacy protocol,” shared Carrone. “Writing code to make transactions private doesn’t make you a criminal. Criminals are those who break the law."
MetaMask’s Taylor Monahan also weighed in: “One of the more interesting and unreported downsides to the US’ approach to crypto is the impact it has on other countries and, thus, globally. Countries that often fall somewhere between incompetent, broken, and utterly corrupt.”
LastPass breach saga endures
Software company Toptal had its GitHub org breached, and some of its packages published with malicious scripts added. This reflects a broader scam trend of malware being snuck into well established packages.
Following news about the hack, Toptal also revealed that both Picasso and Xene packages were compromised for several hours on June 20 2025. Toptal believed the incident was connected to a credential compromise from the LastPass breach.
In case you thought we were done dealing with the fallout of the gargantuan LastPass shakedown, think again! Crypto was, and is, just an early target. Update everything you ever stored in LastPass prior to the breach.
Canada-led global coalition uncovers over $70M in stolen crypto
Project Atlas is a victim-centered initiative led by the Ontario Provincial Police’s Cyber-Enabled Fraud Team (CEFT), focused on identifying and disrupting investment scams. Led by Canada but global in scope, it brings together an international coalition of law enforcement agencies and private-sector stakeholders. To date, the project has uncovered more than $70M in stolen crypto assets from over 2,000 wallets, and froze $50M.
⚠️ Tales of caution ⚠️
Malicious AI extension drains core Ethereum dev’s wallet
Summary
Coin Telegraph reports on core Ethereum developer, Zak Cole, getting drained by a nefarious AI cursor extension, despite his sound operational security. “In 10+ years, I have never lost a single wei to hackers. Then I rushed to ship a contract last week,” Cole explained.
The attack worked by creating a malicious extension that leveraged typosquating to mimic a legitimate extension. In this case, the attackers impersonated a legitimate Solidity extension by posing as the well known publisher, Juan Blanco. The malicious extension was published by “Juan Bianco” instead of “Juan Blanco”.
How users can stay safe
Even if you are hurrying to ship quickly, always remember to read the fine print. Remember: due to formatting, some characters and design elements of malicious extensions can look the same, and this can be an exploitation vector.
Scammers have even been able to place ads with their bogus extension in app stores. To protect yourself, remember to check the publishing date of an extension before you add it to your IDE. Cole also pointed out that there was an extremely high amount of downloads, despite being published a few days ago. This is extremely uncommon as extensions do not amass that kind of download count in such a short period of time. Be on the look out for strange combinations of words in the site description, and developer locations in unlikely places.
DPKR infiltration of crypto projects continues
Summary
An unknown security researcher cracked into a DPRK IT hacker’s device, and revealed how a small North Korean team is managing a wide set of fake personas getting hired for software roles. ZachXBT reveals that this DPKR IT crew was deeply engrained at five crypto companies. The hackers pull this off by purchasing fake identities, LinkedIn accounts, and upwork accounts, in order to obtain jobs. This tactic helps them gather a reputation as a credible developer.
How users can stay safe
If you are a crypto company and think you have been compromised: first, you should check that the exposed LinkedIn, Github, and email accounts of the DPRK workers are not a part of your organization. Then, you should modify your hiring process to require ways to validate the locations of potential employees.
AI-made malware gets 1500+ downloads before take down
Summary
AI-generated malware was uploaded to NPM and downloaded by over 1500 people before it was removed. This package leveraged postintall scripts to compromise victim private keys. The postinstall scripts were designed to be hidden across Windows, Mac, and Linux devices. Once installed, the malware scanned for files storing private keys.
How users can stay safe
Developers can stay safe by using security controls created by Lavamoat. Leveraging @lavamoat/allow-scripts and Kipuka prevents malicious postinstall scripts from making its way into your apps. Additionally, it’s important that you make sure to only download and execute projects that are released by reputable sources. If you must download unverified or unpopular packages, it’s best to have a throwaway VM to download and execute these projects. That way, in the event your VM is compromised, secrets from your personal computer will be protected.
Looking for more crypto security news from the frontlines? Head here to peruse previous editions of Luker's Security Reports, and get additional tips for how you can stay safe in the ecosystem.
