Crypto Security Report: August 2024

Featuring the Wallet Guard integration, Gal Weizman on LavaDome and Shadow DOM, Cthulhu Stealer malware targeting Mac users, malware in a fake developer-job npm package, and DPRK developers found at 25+ crypto projects.

5 minutes
Crypto Security Report: August 2024

Each month, MetaMask Security Director Luker reports on the latest crypto attacks and emerging risks that you need to know about.

In August 2024, MetaMask shared how the new Wallet Guard integration adds additional layers of security protection for users. Elsewhere, Gal Weizman gave his take on CSS injection, LavaDome, and Shadow DOM. We also shared details of the latest threats and attacks: the Cthulhu Stealer malware targeted Mac users anda malicious npm package disguised as a developer job stole crypto and credentials. Last but not least, ZachXBT uncovered North Korean IT workers who had been hired as developers at more than 25 crypto projects. The full breakdown is below, but first...

Grace Hopper (1906–1992) was a US Navy rear admiral and computer scientist who first devised the theory of machine-independent programming languages—work that led toward COBOL—and is credited with writing the first computer manual. She's also often connected to popularizing the term "debugging." Her famous 1982 lecture is well worth a watch. Hopper's drive to make computing understandable and accessible is the same instinct that good security education relies on today.

Wallet Guard integration makes MetaMask more secure

Wallet Guard joined Consensys in July 2024, and MetaMask detailed three ways the integration makes MetaMask more secure: core technology integration, comprehensive life-cycle protection, and faster response to threats.

Upcoming: MetaMask and Wallet Guard's State of Security on September 25 2024

The next State of Security X space, co-hosted by MetaMask and Wallet Guard, is set for September 25, 2024 and will examine the current crypto threat landscape as well as best security practices, with Miles and Jackson joining from the MetaMask Threat Intelligence and Security Research team. Anyone who misses it can catch the recording here

Gal Weizman on CSS injection, LavaDome, and Shadow DOM

In a response to a recent episode of the Critical Thinking - Bug Bounty Podcast on CSS injection vulnerabilities, Gal Weizman explained LavaDome's design and why it uses Shadow DOM rather than iframes to balance security with user experience. His thread highlights the broader goal of securely integrating sensitive data into web apps and closing gaps in web security design, and revisits how the Snow project influenced browser vendors to consider solving the same origin concern at the browser level.

Cthulhu Stealer malware targets Mac users

What happened

The Cthulhu Stealer malware targets macOS users, challenging the belief that macOS systems are immune to malware threats. Developed as malware-as-a-service (MaaS), it disguises itself as legitimate software through an Apple disk image, prompting users for their password and MetaMask password upon execution. The malware then steals a variety of sensitive information, including cryptocurrency wallets and browser cookies, storing them in a directory for exfiltration. Cthulhu Stealer, similar in functionality to the Atomic Stealer malware, is part of a growing trend of macOS-targeted malware, underscoring the need for vigilance among Apple users. 

How users can stay protected

To protect against threats like the Cthulhu Stealer, macOS users should only download software from trusted sources such as the Apple App Store or official developer websites. Enabling built-in security features like Gatekeeper, which blocks unverified apps, and keeping the system and applications updated with the latest security patches are also critical. Additionally, using reputable antivirus software can provide an extra layer of protection.

By staying informed about potential threats and adopting these proactive security measures, users can significantly reduce their risk of malware infections and safeguard their sensitive information. 

Fake developer jobs laced with malware in an npm package

The sophisticated malware campaign that has been targeting developers with fake job advertisements for months shows no sign of letting up. The malware, disguised as a legitimate npm package named "execution-time-async," installs malicious scripts that steal cryptocurrency and credentials from the victims. The attackers cleverly hid the malware within a test file, exploiting social engineering techniques to lure developers into downloading and executing the compromised package. The malware may be part of a larger social engineering campaign, with ties to North Korean state-sponsored activities. 

ZachXBT uncovers DPRK developers working for 25+ crypto projects

What happened After a team discovered $1.3 million missing from its treasury, they turned to ZachXBT to investigate. He discovered that the team had unknowingly employed North Korean (DPRK) IT workers posing under fake identities as developers, with the stolen funds laundered through a complex path of exchanges, bridges, and mixers. ZachXBT went on to identify more than 25 additional crypto projects that had hired DPRK developers. How users can protect themselves This incident underscores the critical importance of thorough vetting and monitoring of team members, especially in roles with access to sensitive operations. Teams should implement rigorous background checks, utilize secure code practices, and maintain strict oversight of treasury transactions. Additionally, fostering a culture of security awareness and encouraging the reporting of suspicious activities can further safeguard teams.


MetaMask's August 2024 Crypto Security Report covered the Wallet Guard integration that adds new layers of protection to MetaMask, the Cthulhu Stealer malware targeting Mac users, and ZachXBT's discovery of North Korean IT workers hired as developers at more than 25 crypto projects. Browse previous editions of the MetaMask Crypto Security Report for more threats, trends, and tips for staying safe across the ecosystem.

  • Luker
    Luker

      Jen Luker, known by most as just Luker, is the Director of Product Security at Consensys, where she leads the frontline defenders who protect millions of users from vulnerabilities, emerging threats, and malicious actors across decentralized tech. An active participant in the Ethereum ecosystem since 2017, she has held key roles including Editor at ETHNews and Project Manager at MyCrypto. Luker is a regular speaker at industry conferences, the author of MetaMask's monthly Crypto Security Report, and an official ETH Security Badge holder as designated by The DAO. She's also a passionate advocate for continuous education and security awareness as essential pillars for the future of Ethereum and blockchain technology.

      すべての記事を読む