- Malicious npm package hijacks Atomic and Exodus wallets.
- Attackers replace crypto addresses to steal user funds.
A new software supply chain attack has been discovered in the npm registry. This time, the target is users of popular cryptocurrency wallets like Atomic Wallet and Exodus. The malicious npm package called pdf-to-office claims to perform PDF to Word document conversions, but in reality, it serves as a stealth tool to steal cryptocurrency. The program includes secret malicious code that functions as a crypto theft mechanism.
npm Malware Alters Crypto Addresses in Fund Transfers
Security research by ReversingLabs points to the malicious package as it overrides cryptocurrency wallet addresses during fund transfers. The attacker quietly replaces the cryptocurrency addresses sent with their own wallet addresses after the victims attempt a payment. Money flows from the sender and is redirected to the criminal through this malicious operation.
The malicious package initiated its appearance on npm on March 24, 2025, and developers have applied three updates since that time. The latest release of version 1.1.2 from April 8 has reached 334 downloads. Attacks were probably run on a version scrub during their launch to prevent detection.
Moreover, this incident is not isolated. Two additional npm packages named ethers-provider2 and ethers-providerz underwent an exposure attack less than a few weeks before the most recent breach. The packages contained code that tried to establish reverse shell connections on vulnerable machines. After the removal of the package, the attacker could gain remote access and control through the compromised shells.
In the case of pdf-to-office, the malware is more targeted. The initial scan of Atomic Wallet checks whether the computer system has installed the Atomic Wallet application. The wallet detection leads to a system file key overwrite with a modified version that contains Trojan code. A modified key file hides under the original but manipulates outgoing wallet addresses to redirect them to the attacker’s control.
Additionally, the Exodus wallet faces the same style of malicious assault triggered by the attacker. The malware specifically targets version 2.91.5 and version 2.90.6 of Atomic Wallet and version 25.13.3 and version 25.9.2 of Exodus. The attackers designed their attack in advance to synchronize with the specific formats of versions 2.91.5 and 2.90.6 of Atomic Wallet and versions 25.13.3 and 25.9.2 of Exodus Wallet.
Malware Keeps Redirecting Crypto Funds Even After Uninstall
Importantly, uninstalling a malicious npm package from the system does not restore the damage it caused since the compromised wallet software remains infected. Infected wallet software fails to remove virus infections, which allows the funds to be continuously redirected. ReversingLabs states that users must undertake complete deletion of their wallets from their computer before installing new versions.
Moreover, the attack demonstrates an increasing tendency towards cybercriminal behavior. Supply chain attacks are now being conducted by attackers through the open-source software platform npm. These vulnerabilities become more complex to identify because their objective is to infect software at development stages or when users install applications.
In addition, the threat analysis presented by ExtensionTotal included additional information about related security risks. The analysis showed that 10 malevolent Visual Studio Code extensions succeeded in being uploaded. The extensions perform clandestine downloads of PowerShell scripts. The script progresses by removing Windows security functions before creating automatic execution schedules to operate indefinitely and establishing an XMRig cryptocurrency mining tool.
Lastly, the recent discoveries demonstrate that cybercriminals keep developing new techniques to rob crypto users. Development teams, together with users, need constant awareness, particularly during public registry package downloads. The swift changes in the software world demand routine maintenance for software protection and the preservation of funds.
