Each month, MetaMask Security Director Luker reports on the latest crypto attacks and emerging risks that you need to know about.
December 2022 saw LavaMoat release its bin confusion mitigation behind an experimental flag, Endo's compartment-mapper bundler pass an initial CommonJS proof of concept, and the Node.js Security Working Group propose a process-level Permission Model that complements LavaMoat's per-package approach. On the threat side, North Korea's Lazarus Group pushed a new AppleJeus malware variant through fake crypto apps, and a month-long social engineering scam drained 14 Bored Apes worth $1.07 million. Closing out the year, the HackerOne bug bounty program passed 100 researchers, PhishFort tracked 19,571 MetaMask-branded phishing attacks, and MetaMask and Laconic launched the MobyMask anti-phishing initiative. The full breakdown is below, but first...
Featured STEM pioneer: Hedy Lamarr, co-inventor of frequency-hopping spread spectrum
Hedy Lamarr (1914–2000), alongside composer George Antheil, patented a "Secret Communication System" in 1942 that used frequency-hopping to keep radio-guided torpedo signals from being jammed. The idea of spreading a signal across rapidly switching frequencies became the foundation for modern spread spectrum technology used in Wi-Fi, Bluetooth, and GPS—the wireless protocols that connect self-custodial wallet users to blockchain networks. Lamarr was inducted into the National Inventors Hall of Fame in 2014.
LavaMoat releases bin confusion attack mitigation behind an experimental flag
LavaMoat released @lavamoat/allow-scripts with the --experimental-bins flag, providing protection against npm bin script confusion attacks for both npm and Yarn 1 projects. The mitigation guards against malicious packages hijacking legitimate CLI commands through npm's bin field linking behavior.
Endo advances its compartment-mapper bundler with CommonJS support
Work on bundling intensified in the Endo project. A series of compatibility fixes moved the compartment-mapper bundler closer to being usable for real projects, and an initial proof of concept of CommonJS support passed its tests.
Node.js Security Working Group proposes a Permission Model aligned with LavaMoat
The Node.js Security Working Group prepared a first proposal for a Permission Model to complement its existing Policy system. The goal is similar to LavaMoat's: reduce the system access exposed to semi-trusted third-party code. The proposed approach resembles Deno's Permissions System in configuring system access at the process level, whereas LavaMoat enables more granular isolation by configuring access at the package level within a process. Once the Node.js Permission Model matures and ships, it should be usable in conjunction with LavaMoat for stronger supply chain protection.
Lazarus Group distributes AppleJeus malware through fake crypto applications
North Korea's Lazarus Group was spotted distributing a new variant of AppleJeus malware through fake cryptocurrency applications and websites, where an unsuspecting user could inadvertently download the malware. The activity was reported by Volexity and covered by The Hacker News on December 5, 2022.
Social engineering scam steals 14 Bored Apes worth $1.07 million
Security analyst Serpent documented a month-long social engineering scam that stole 14 BAYC NFTs worth over 852 ETH ($1.07 million) from a single collector, sharing the analysis on December 17, 2022. Social engineering remained one of the most effective tools for bad actors through the year, with elaborate scams like this one playing out over weeks rather than minutes.
HackerOne bug bounty program builds a network of over 100 researchers in 2022
Through its HackerOne bug bounty program, MetaMask developed relationships with over 100 unique researchers who helped identify many vulnerabilities across the year, contributing to a safer experience for users. The program continued to welcome new participants pursuing bounties.
PhishFort detects 19,571 MetaMask-branded phishing attacks in 2022
Over the year, PhishFort detected 19,571 attacks using MetaMask branding, and within the final 30 days successfully took down 1,873 campaigns. MetaMask also ran known-phishing blocking initiatives in both the browser extension and mobile app, covering MetaMask impersonation and other web3 brand spoofing. The blocklist is owned and managed by Consensys/MetaMask and updated multiple times per day.
MetaMask and Laconic launch the MobyMask anti-phishing initiative
MetaMask introduced MobyMask, a new initiative to proactively protect users from phishing that uses a dynamic web of trust for sourcing phishing reporters, developed with help from Laconic.
MetaMask's December 2022 Crypto Security Report covered the Lazarus Group's new AppleJeus malware distributed through fake crypto applications, a month-long social engineering scam that stole 14 Bored Apes worth $1.07 million, and a year-end wrap spanning LavaMoat's bin confusion mitigation, PhishFort's phishing takedowns, and the launch of the MobyMask anti-phishing initiative. Browse previous editions of the MetaMask Crypto Security Report for more threats, trends, and tips for staying safe across the ecosystem.