MetaMask, the leading software cryptocurrency wallet that enables users to interact with the Ethereum wallet on their browsers, is all set to implement top-notch security standards to benefit the entire open-source javascript ecosystem. MetaMask’s new tool will protect smart contract developers from phishing attacks or thefts.
Advertisement
On February 20th, 2021, over 50 smart contract developers took a huge hit from attackers. The attack happened when NomicLabs’ HardHat, which is a library used for Ethereum smart contract development, was hit with a phishing attack, known as ‘typo squatting.’ In a typical attack, the attackers wait for opportunities when users, by chance, mistype the domain name and thus are redirected to a namespace similar to the originally intended domain name. The attackers purchase a lookalike domain of any trusted website to appear genuine. As a result, the webpage looks as legitimate as any trusted website but acts maliciously. This time the attackers did not use a lookalike domain name. Instead, they registered a name on NPM, which is the primary trusted resource for open-source javascript libraries. The intended name was “@nomiclabs/hardhat-waffle,” and the attacker registered the name “hardhat-waffle,” which looked as similar as legitimate as the genuine package name. Very likely, the attacker waited for users to mistakenly type “hardhat-waffle” instead of “@nomiclabs/hardhat-waffle,” which, upon installation, would run a post-install script that uploaded the contents and Kubernetes credential files to a remote server. With its new security features, MetaMask constantly strives to combat such fake websites that try to siphon user credentials.
However, these types of attacks are not new; in 2018, Copay, a reputed Bitcoin wallet, became the victim of a malicious 3rd party code that stole users’ Bitcoin & Ethereum keys. This recent incident with HardHat urged the team at MetaMask to create a new tool in the set of powerful security tools called “LavaMoat” that can protect the developers from thefts. This simple and light-weight tool is called “@lavamoat/allow-scripts.” It protects developers from malicious codes in the software supply chain by explicitly allowing them to execute NPM lifecycle scripts like “preinstall” and “post-install” for a genuine package as required. All the developers need to do is simply install the tool and quickly configure it in their systems.
Advertisement
If the developers who had mistakenly installed hardhat-waffle had configured @lavamoat/allow-scripts on their projects first, they would have been immune to all such install script attacks.
