Supply chain security announcement: Put a LavaMoat around your code

Have more questions? Submit a request

You're a modern Web developer, right? So, naturally, you're building on the shoulders of giants, and using the power of community-driven, open-source JavaScript frameworks to build your apps.

Question: Hold up--is that a security threat? Couldn't someone, say, inject some malicious code into one of your dependencies, take hold of your system, and steal all your user's data?

Traditional Web Developer: Well, I guess, but we're using really secure authentication systems. Besides, there's no real value held in our app itself. No one would go through the effort of orchestrating a supply chain attack into open source code just to get at our app.

Blockchain Developer: Oh... Oh no.


LavaMoat, solving for JavaScript supply chain security

MetaMask LavaMoat

Supply chain security is a real concern in web3. We're building in the open, like so many in modern software development do. But with projects like MetaMask, we're building at scale, too; it's just not feasible to perform manual dependency audits every time (although the MetaMask team does include regular manual audits). 

That's why MetaMask founder kumavis built LavaMoat. It's a tool that allows anyone building an app with JavaScript to automatically inspect dependencies that are being brought in for malicious code, encapsulate all dependencies within containers that limit their permissions to what you set them to, and help you better prioritize what it is you need to manually audit.

MetaMask LavaMoat viz

Here's the LavaMoat launch blog post, which breaks it down a little more. 

If you want to start using it, the npm package is available at, and the repository is


Watch how you handle those iframes

Not content with fixing this security problem, MetaMask's security researchers have moved on to another attack vector which has long haunted the Web: iframes. Check out the work they're doing with SNOW (Securing Nested Ownership of Windows):


An explanation of the motivation and how the technology works is here, hosted on the project's GitHub.

While the project is still experimental, the instructions to install it are available here



MetaMask: A crypto wallet, decentralized identity manager, and blockchain developer tool

Articles in this section

Was this article helpful?
0 out of 0 found this helpful