MetaMask Security Report: January 2025

Holocaust and 1956 Hungarian Revolution survivor Andrew Grove played a major role in Intel’s microprocessor revolution, shaping modern computing.

🦊 What we’ve been up to 🦊

A phish on a fork, no chips

Highlighting the first release of @lavamoat/node, Naugtur explores a sneaky security risk in GitHub development. Attackers are creating malicious forks of popular repositories and slipping in harmful code. Even if you've been following the development of LavaMoat you probably did not see @lavamoat/node coming. However, it's a major rewrite that was necessary to bring in enterprise service management (ESM) support.

AnChain.AI x MetaMask Snaps: protect your transactions

In this X Space, AnChain.AI discusses its MetaMask Snap that allows more people to benefit from easier access to the data they aggregate on bad actors. The algorithm they built assesses the risk to transactions, wallets, and smart contracts.

Christian Montoya said about Snaps more broadly: "Through the Snaps platform, we're able to connect with a lot of different teams that are working in the security space. Because they can launch their own Snaps, they can demonstrate their capabilities to protect against malicious activity, to help decode transactions, and to do better simulations."

Christian also teased that MetaMask is exploring ways to leverage AI to make users more secure.

Improvements to signature request readability

This month, we launched new, consistent, and more readable transactions and signatures on MetaMask Extension. The improvements will be coming to MetaMask App on mobile very soon.

🎙️ MetaMask in the security ecosystem 🔎

Using LavaMoat to block malicious postinstalls

It's Naugtur again, and this time he raised the alarm for Rspack users — a Rust-based JavaScript bundler — who may have unknowingly installed a malicious release. Fortunately, the issue was swiftly addressed, but tools like LavaMoat can help developers stay protected from similar supply chain attacks in the future.

North Korea hack group may be behind $70 Million Phemex exploit, experts say...

And one of these experts is MetaMask's Taylor Monahan. Over $70M in crypto was stolen from Singapore-based exchange Phemex. According to Taylor, the attack's complexity indicates involvement by a seasoned group, possibly linked to North Korea. The attackers swiftly drained a wide array of assets across multiple blockchains, converting them into native tokens like ETH and BTC. She noted that the manual execution of numerous transactions across various chains suggests the work of experienced threat actors. This method mirrors tactics previously associated with North Korean hacking groups, such as the Lazarus Group.

Meanwhile...

Chainalysis releases Crypto Crime Report for 2025

Chainalysis's annual Crypto Crime Report has landed. While you wait for your copy to arrive, get a sneak peek by reading an excerpt – Illicit Volumes Portend Record Year as On-Chain Crime Becomes Increasingly Diverse and Professionalized, here.

⚠️ Tales of Caution⚠️

Fake homebrew Google Ads target Mac users with malware

Summary

Hackers have launched a malware campaign via Google Ads, targeting users of the Homebrew package manager for macOS and Linux with a counterfeit website. The campaign distributes AmosStealer, a malware designed to steal credentials, browser data, and cryptocurrency data by masquerading as a legitimate Homebrew site. Security experts have highlighted the campaign's sophistication and potential to harm unsuspecting users significantly.

How Users Can Protect Themselves

Always verify the authenticity of websites before downloading any software or entering personal information. Be cautious of Google ads that lead to external sites, especially those that look similar to legitimate services like Homebrew. Consider bookmarking official websites you frequently visit to avoid falling for fake ads. Additionally, follow reputable cybersecurity experts and updates to stay informed about the latest threats.

Navigating the Contagious Interview malware campaign

Summary

Contagious Interview, a DPRK-affiliated cyber threat group active since December 2022, has been exploiting the cryptocurrency industry through sophisticated social engineering attacks. They lure victims with fake job offers or freelance development work, only to infect their devices with BeaverTail infostealer malware via malicious code distributed through platforms like GitHub and Bitbucket. This malware targets crypto assets, draining browsers and desktop wallets soon after installation. The group employs a second payload, InvisibleFerret, to further compromise devices for ongoing exploitation.

How Users Can Protect Themselves

Individuals should exercise caution when approached with job offers on social media, verifying the authenticity of recruiter profiles and avoiding suspicious links or scripts. They should also use antivirus software and keep personal and work activities separate, possibly on different machines or virtual environments. Organizations can protect themselves by educating employees on phishing tactics, enforcing strict device policies, and using secure channels for recruitment processes.

AdsPower supplychain attack leads to $3M stolen in ETH

Summary

ADSPower, an anti-detect browser, fell victim to a hacking incident that resulted in the theft of over $3M in crypto assets from over 34,000 wallets. The breach was first hinted at on January 23, with users reporting issues with MetaMask within ADSPower on various Telegram crypto chats. By January 25, a significant withdrawal of funds from users' wallets was observed, and the ADSPower team acknowledged the breach. The attack was executed by replacing legitimate wallet extensions with fraudulent ones, deceiving users into submitting their seed phrases and passwords.

How users can protect themselves

If you're an ADSPower user, and installed or updated the MetaMask extension between January 21 and January 24, take immediate action to secure your assets and account: delete the current MetaMask Extension, and any other wallet extensions you suspect might be compromised. Reinstall them directly from the Chrome Web Store to ensure that you're using the authentic versions.

Move your crypto-assets to a new wallet. When setting up the new wallet, import your seed phrases or private keys directly, and avoid using ADSPower during this process to prevent potential exposure to malicious software. Contact ADSPower's support team at support@adspower.com. Provide them with details and any proof of compromise to get assistance and potentially help prevent further breaches.

Looking for more? Head here to peruse previous editions of Luker's MetaMask Security Reports.