Crypto Security Report: October 2022

Featuring the SES v0.17.0 release landing the "quadruple backflip" evaluator refactor, Socket.dev's disclosure of npm bin script confusion attacks, LavaMoat's new global scuttling defense, and two MetaMask security talks at Devcon VI in Bogota.

4 minutes
Crypto Security Report: October 2022

Each month, MetaMask Security Director Luker reports on the latest crypto attacks and emerging risks that you need to know about.

October 2022 saw the Endo project release SES v0.17.0, landing the long-awaited "quadruple backflip" evaluator refactor that lets LavaMoat drop its custom SES patches, while LavaMoat itself added global scuttling and a programmatic API. On the threat side, Socket.dev disclosed npm bin script confusion—a supply chain technique that hijacks legitimate CLI commands through a package's bin field—which @lavamoat/allow-scripts was already positioned to mitigate. MetaMask also took the stage at Devcon VI in Bogota with two security talks, published Gal Weizman's deep dive on JavaScript realms, and drew over 4,000 attendees to a community Security Essentials call. The full breakdown is below, but first...

Frances Allen (1932–2020) was an American computer scientist who pioneered the field of compiler optimization—the science of automatically transforming code so it runs faster and more efficiently—and made foundational contributions to program analysis and parallel computing during her decades at IBM. In 2006 she became the first woman to receive the ACM Turing Award. The deep analysis of how programs are compiled and executed that Allen pioneered is the same foundation tools like SES and LavaMoat build on to reason about, isolate, and constrain untrusted code.

SES v0.17.0 ships "quadruple backflip" evaluator refactor for Endo

The Endo project released SES v0.17.0, which includes the "quadruple backflip" refactor of the SES shim's evaluator into a multilayered scope stack. The refactor fixes an issue where the scope proxy could leak and separates distinct concerns in global scope handling into discrete layers. A key downstream benefit: LavaMoat can now use the unaltered SES shim without maintaining its own patches. Parallel work continued on introducing LavaMoat-style policies to Endo's compartment mapper, with the current proof of concept supporting granular control of globals and built-ins per package, including programmatic attenuation of built-in APIs.

Socket.dev discloses npm bin script confusion as a supply chain attack vector

Security research firm Socket.dev published a disclosure on npm bin script confusion, a technique in which a malicious npm package uses its bin field to shadow or hijack legitimate CLI commands—including node itself—when installed alongside trusted packages. The attack is harder to detect than typical supply chain compromises because it exploits a design behavior in npm's package linking rather than injecting malicious code into existing modules. GitHub's position is that the behavior is working as designed. LavaMoat's @lavamoat/allow-scripts was already positioned to mitigate this class of attack by controlling which packages are permitted to run install scripts.

LavaMoat introduces global scuttling and programmatic API

LavaMoat shipped 3 key  updates in October 2022. Global scuttling captures global references needed for policy-based endowment and then removes the original references from the global scope, preventing packages from accidentally passing indirect references to powerful APIs. A new programmatic API (require('lavamoat')) allows developers to integrate LavaMoat directly into Node.js applications and scripts rather than using it solely as a CLI tool. The latest release of @lavamoat/allow-scripts also added out-of-the-box support for configuring Yarn 3-based projects.

MetaMask presents two security talks at Devcon VI in Bogota

MetaMask delivered 2 security-focused presentations at Devcon VI in Bogota, Colombia, in October 2022. Antonela Debiasi presented "Usable Security in web3" on the main stage, addressing the challenge of balancing security and usability in self-custodial wallet design to support broader adoption. Kumavis (MetaMask co-founder and security research lead) presented "The Attacker is Inside: Javascript Supplychain Security and LavaMoat", covering how LavaMoat defends against JavaScript supply chain attacks in the crypto ecosystem.

Gal Weizman publishes deep dive on JavaScript realms and browser security

LavaMoat contributor Gal Weizman published "What is a realm in JavaScript?", a technical deep dive on the execution environments in which JavaScript programs operate. The article explains how attackers exploit iframe-created realms to access untampered native APIs, bypassing security policies applied to the top-level window—the exact attack surface that LavaMoat's Snow tool was built to close.

MetaMask community security essentials call draws over 4,000 attendees

MetaMask's community team hosted a Security Essentials call covering foundational security practices for self-custodial wallet users. Over 4,000 attendees participated in the live session, which covered topics including Secret Recovery Phrase safety, phishing recognition, and transaction verification.


MetaMask’s October 2022 Crypto Security Report covered the SES v0.17.0 release landing the "quadruple backflip" evaluator refactor, Socket.dev's disclosure of npm bin script confusion as a supply chain attack vector exploiting npm's package linking design, and LavaMoat's introduction of global scuttling to prevent indirect reference leaks to powerful APIs. Browse previous editions of the MetaMask Crypto Security Report for more threats, trends, and tips for staying safe across the ecosystem.

  • Luker
    Luker

      Jen Luker, known by most as just Luker, is the Director of Product Security at Consensys, where she leads the frontline defenders who protect millions of users from vulnerabilities, emerging threats, and malicious actors across decentralized tech. An active participant in the Ethereum ecosystem since 2017, she has held key roles including Editor at ETHNews and Project Manager at MyCrypto. Luker is a regular speaker at industry conferences, the author of MetaMask's monthly Crypto Security Report, and an official ETH Security Badge holder as designated by The DAO. She's also a passionate advocate for continuous education and security awareness as essential pillars for the future of Ethereum and blockchain technology.

      Read all articles