Cryptocurrency wallet developer Komodo has effectively hacked its own customers to avert an attack that could have resulted in the theft of funds worth nearly $13 million.

A blog post from the npm JavaScript package repository, first reported by ZDNet, indicated that its security system raised an alert about a backdoor on June 5 that could have been used by hackers to rob users of one of Komodo’s older wallets, Agama.

An audit showed a malware threat with the potential to steal cryptocurrency wallet seeds and logins.

To prevent hackers from taking advantage of the malicious code, Komodo and npm used the same backdoor to extract Agama users’ funds and transferred them to a safe location away from hackers reach.

Npm said:

“After being notified by our internal security tooling of this threat we responded by notifying and coordinating with Komodo to protect their users as well as remove the malware from npm.”

In a security alert, Komodo said: “After discovering the vulnerability, our Cyber Security Team used the same exploit to gain control of a lot of affected seeds and secure the funds at risk.”

Komodo said it was able to safeguard 8 million komodo (KMD) tokens and 96 bitcoin, collectively worth nearly $13 million.

To prevent hackers from using their old seeds and paraphrases in the future, the developer advised Agama wallet users to move their funds to its newer wallet products and create new KMD and BTC addresses, as well as new passphrases.

Malicious code image via Shutterstock