MetaMask Security Monthly: December 2022

We’re wrapping up the year with progress updates and stories from the ecosystem. See you all in 2023!

by LukerDecember 22, 2022

Security Laboratory

Screenshot 2022-12-22 at 10.51.00 AM The Patent Papers for Hedy Lamarr's Secret Communication System, 1942


@lavamoat/allow-scripts released with —experimental-bins flag to protect npm and yarn1 from bin confusion attacks. More on Bin Confusion:


The work on bundling intensifies. Various compatibility fixes are getting us closer to being able to use the compartment-mapper bundler for actual projects. Initial proof-of-concept of CommonJS support passes tests.

Node.js SWG’s Permission Model Proposal🤝

The Node.js Security Working Group has prepared a first proposal for their Permission Model to complement their Policy system. Their goal is similar to LavaMoat in that they aim to reduce system access exposed to semi-trusted third party code. Their approach is similar to Deno's Permissions System in that it configures system access at the process level. LavaMoat enables more granular isolation, configuring system access at the package level within a process. When the Nodejs Permission Model has matured and been released, it should be useable in conjunction with LavaMoat to provide superior supply chain protection. We applaud the efforts of the Node.js Security Working Group and look forward to the evolution of the proposal!

Screenshot 2022-12-22 at 10.56.35 AM

Cautionary Tales

The Lazarus Group is at it again. Beware of fake crypto websites where you could inadvertently be downloading the Applejeus malware. Read more from Volexity as well as the Twitter thread below:

Social engineering continues to be one of the most nefarious tools for bad actors. This elaborate heist played out over weeks:

Thanks for Joining Us This Year

Whether this is the first MetaMask security report you’re reading or if you’ve been following along from our humble beginnings in April on Medium, we thank you for joining us. This year we’ve seen great progress from the Security Labs team on LavaMoat and Endo that we’ve detailed in these monthly reports, the launching of our HackerOne bug bounty program, and strategic campaigns to combat phishing.

Through the HackerOne program, we’ve developed relationships with over a hundred unique hackers who have helped us identify many vulnerabilities, leading to a safer MetaMask experience for all our users. We’re always welcoming more, so please be encouraged to get involved and go for those bounties!

Over the year, our friends at PhishFort have detected 19,571 attacks using the MetaMask branding and within the last 30 days have successfully taken down 1,873 campaigns. We also carried initiatives within both the browser extension and mobile app to block known-phishing of both MetaMask impersonation and other web3 brands, and will continue improving these efforts. The list we use is owned and managed by Consensys/MetaMask and updated multiple times per day.

There have also been exciting developments for MobyMask: A new initiative from the MetaMask team to help proactively protect users from phishing, which uses a dynamic web of trust for sourcing phishing reporters. Thanks to help from Laconic!

And we’re looking to grow the MetaMask security team next year, so keep an eye on the MetaMask open roles page!

Receive our Newsletter