However, these types of attacks are not new; in 2018, Copay, a reputed Bitcoin wallet, became the victim of a malicious 3rd party code that stole users’ Bitcoin & Ethereum keys. This recent incident with HardHat urged the team at MetaMask to create a new tool in the set of powerful security tools called “LavaMoat” that can protect the developers from thefts. This simple and light-weight tool is called “@lavamoat/allow-scripts.” It protects developers from malicious codes in the software supply chain by explicitly allowing them to execute NPM lifecycle scripts like “preinstall” and “post-install” for a genuine package as required. All the developers need to do is simply install the tool and quickly configure it in their systems.
If the developers who had mistakenly installed hardhat-waffle had configured @lavamoat/allow-scripts on their projects first, they would have been immune to all such install script attacks.