What Happened
A malicious npm package named electron-native-notify targeted users of Komodo's Agama cryptocurrency wallet. A GitHub user, sawlysawly, disclosed the threat via a public commit, triggering an investigation that revealed the package was designed to exfiltrate wallet credentials and private keys. The package was removed from the npm registry before significant theft occurred, but approximately $13 million USD in cryptocurrency was exposed during the window of vulnerability.
The attack vector was straightforward: the malicious package masqueraded as a legitimate notification utility for Electron applications. Developers who installed it unknowingly granted attackers access to their users' wallet data.
Timeline
Discovery and Disclosure: GitHub user sawlysawly identified the malicious package and published a commit warning the community.
Package Removal: npm removed electron-native-notify from the registry following the disclosure.
Investigation Period: Komodo and security researchers assessed the scope of exposure and identified affected wallet installations.
Remediation: Users were advised to check their dependencies and remove the malicious package if present.
The exact duration between package publication and removal is not publicly documented, but the window was sufficient to put millions of dollars at risk.
Which Controls Failed or Were Missing
No dependency verification process. The Agama wallet project lacked automated scanning to detect suspicious packages before they entered the dependency tree. Your build pipeline should reject packages that exhibit known malicious patterns or lack provenance data.
Absence of Software Bill of Materials (SBOM) validation. Without an SBOM, the team had no systematic inventory of third-party components. You cannot protect what you cannot enumerate.
Missing real-time vulnerability monitoring. The project did not employ continuous dependency monitoring that would have flagged the package immediately upon disclosure. Tools like Snyk, Dependabot, or Socket can alert you within minutes of a public threat disclosure.
No package integrity verification. The build process did not validate package signatures or checksums against a known-good baseline. This allowed an untrusted package to execute code in the build environment.
Insufficient least-privilege architecture. The wallet application granted the notification package enough access to reach credential stores. A properly sandboxed architecture would have limited the blast radius even if a malicious package was included.
What the Standards Require
PCI DSS v4.0.1 Requirement 6.3.2 mandates that custom software be developed based on industry standards and incorporate information security throughout the software development life cycle. For organizations handling payment data, this explicitly includes supply chain risk management for third-party components.
NIST 800-53 Rev 5 control SA-12 (Supply Chain Protection) requires organizations to employ integrity verification mechanisms to detect unauthorized changes to software and firmware. This applies directly to npm packages—you must verify that dependencies have not been tampered with.
ISO/IEC 27001:2022 Annex A.8.30 (Outsourced Development) requires that security be applied to development activities outsourced to third parties. When you import an npm package, you are outsourcing development. The control requires you to verify the security of those components.
OWASP ASVS v4.0.3 Section 14.2 (Dependency) specifies that applications must use a software component analysis tool to identify known vulnerable components. This is not optional for security-critical applications—it is a verification requirement.
SOC 2 Type II Common Criteria CC7.1 requires that the organization identifies and assesses risks associated with vendor and business partner relationships. Your npm dependencies are business partners. You must assess their risk.
Lessons and Action Items for Your Team
Implement automated dependency scanning in your CI/CD pipeline. Do not wait for manual reviews. Configure tools like Snyk, Socket, or GitHub's Dependabot to block builds that include packages with known vulnerabilities or suspicious characteristics. Set the failure threshold to "high" severity at minimum.
Generate and maintain an SBOM for every release. Use tools like CycloneDX or SPDX to create machine-readable inventories of your dependencies. Store these alongside your release artifacts. When a disclosure like the Komodo incident occurs, you need to answer "are we affected?" in minutes, not days.
Enable real-time threat intelligence feeds. Subscribe to security advisories for the ecosystems you use (npm, PyPI, Maven Central). Configure alerts so your team learns about threats from public disclosures immediately, not when an auditor asks about them.
Verify package integrity before installation. Use lock files (package-lock.json, yarn.lock) to pin exact versions and checksums. In high-security environments, mirror critical packages to a private registry where you control the source of truth.
Apply least-privilege principles to third-party code. If a notification library needs filesystem access, ask why. Use Content Security Policy, sandboxing, and permission boundaries to limit what dependencies can access. The electron-native-notify package should never have had a path to wallet credentials.
Establish a dependency approval process for new packages. Before adding a dependency, check: How many maintainers? When was the last commit? How many downloads per week? Is the source code available for review? A five-minute review could have flagged electron-native-notify as suspicious—it was a new package with minimal adoption.
Create a rapid-response plan for supply chain incidents. Document who gets notified, how you assess impact, and what the rollback procedure looks like. The Komodo incident moved fast. Your response must move faster.
The $13 million at risk in the Komodo attack represents the cost of treating dependency management as a development convenience rather than a security control. Every package you import is code you ship. Treat it accordingly.
