Malicious NPM Package Targets Crypto Wallets
Researchers Discover Stealthy Attack
Researchers have discovered a malicious software package uploaded to npm that secretly alters locally installed versions of crypto wallets and allows attackers to intercept and reroute digital currency transactions.
The campaign injected trojanized code into locally installed Atomic and Exodus wallet software and hijacked crypto transfers. The attack centered on a deceptive npm package, pdf-to-office, which posed as a library for converting PDF files to Office formats.
How the Attack Worked
When executed, the package silently located and modified specific versions of Atomic and Exodus wallets on victims’ machines, redirecting outgoing crypto transactions to wallets controlled by threat actors.
The attackers replaced legitimate JavaScript files inside the resources/app.asar archive with near-identical trojanized versions that substituted the user’s intended recipient address with a base64-decoded wallet belonging to the attacker.
For Atomic Wallet, versions 2.90.6 and 2.91.5 were specifically targeted. Meanwhile, a similar method was applied to Exodus Wallet versions 25.9.2 and 25.13.3.
Once modified, the infected wallets would continue redirecting funds even if the original npm package was deleted. Full removal and reinstallation of the wallet software were required to eliminate the malicious code.
Persistent and Obfuscated Malware
ReversingLabs also noted the malware’s attempts at persistence and obfuscation. Infected systems sent installation status data to an attacker-controlled IP address (178.156.149.109), and in some cases, zipped logs and trace files from AnyDesk remote access software were exfiltrated, suggesting an interest in deeper system infiltration or evidence removal.
Expanding Software Supply Chain Threats
The discovery follows a similar March campaign involving ethers-provider2 and ethers-providerz, which patched the ethers npm package to establish reverse shells. Both incidents highlight the rising complexity of supply chain attacks targeting the crypto space.
ReversingLabs warned that these threats continue to evolve, especially in web3 environments where local installations of open-source packages are common. Attackers increasingly rely on social engineering and indirect infection methods, knowing that most organizations fail to scrutinize already installed dependencies.
“This kind of patching attack remains viable because once the package is installed and the patch is applied, the threat persists even if the source npm module is removed,” the report states.
Threat Actor’s Persistence
The malicious package was flagged by ReversingLabs’ machine-learning algorithms under Threat Hunting policy TH15502. It has since been removed from npm, but a republished version under the same name and version 1.1.2 briefly reappeared, indicating the threat actor’s persistence.
Investigators published hashes of affected files and wallet addresses used by the attackers as indicators of compromise (IOCs). These include wallets used for illicit fund redirection, as well as the SHA1 fingerprints of all infected package versions and associated trojanized files.
Call to Action
As software supply chain attacks become more frequent and technically refined, especially in the digital asset space, security experts are calling for stricter code auditing, dependency management, and real-time monitoring of local application changes.
Conclusion
The recent discovery of a malicious NPM package highlights the growing threat of supply chain attacks in the crypto space. It is crucial for organizations to prioritize security and implement robust measures to detect and prevent such attacks. By staying vigilant and proactive, we can minimize the impact of these threats and ensure the integrity of our digital assets.
FAQs
What was the malicious NPM package? The malicious package was named “pdf-to-office” and posed as a library for converting PDF files to Office formats.
What was the purpose of the package? The package injected trojanized code into locally installed Atomic and Exodus wallet software, allowing attackers to intercept and reroute digital currency transactions.
Which versions of Atomic and Exodus wallets were targeted? Versions 2.90.6 and 2.91.5 of Atomic Wallet and versions 25.9.2 and 25.13.3 of Exodus Wallet were specifically targeted.
How did the malware persist? The malware attempted to persist by sending installation status data to an attacker-controlled IP address and exfiltrating logs and trace files from AnyDesk remote access software.
What is the recommended course of action? Security experts recommend stricter code auditing, dependency management, and real-time monitoring of local application changes to prevent such attacks.
![Crypto Recovery Pump Incoming!! [DUMP NEARLY OVER – ACT NOW]](https://i.ytimg.com/vi/MrMeVsgZJPU/maxresdefault.jpg "Crypto Recovery Pump Incoming!! [DUMP NEARLY OVER – ACT NOW]")
