Cryptocurrency Wallets Targeted in NPM Supply Chain Attack

A new software supply chain attack has been discovered in the npm registry, targeting users of popular cryptocurrency wallets such as Atomic Wallet and Exodus. The malicious npm package, named pdf-to-office, is designed to perform PDF to Word document conversions but actually functions as a stealth tool to steal cryptocurrency. The program includes secret malicious code that acts as a crypto theft mechanism, overriding cryptocurrency wallet addresses during fund transfers. The attacker replaces the cryptocurrency addresses sent with their own wallet addresses after the victims attempt a payment, redirecting the money to the criminal.

The malicious package was first uploaded to npm on March 24, 2025, and has since received three updates. The latest release, version 1.1.2 from April 8, has reached 334 downloads. This incident is not isolated; two additional npm packages, ethers-provider2 and ethers-providerz, underwent an exposure attack a few weeks prior. These packages contained code that attempted to establish reverse shell connections on vulnerable machines, allowing the attacker to gain remote access and control through the compromised shells.

In the case of pdf-to-office, the malware is more targeted. It initially scans for the presence of the Atomic Wallet application on the computer system. If detected, the malware overwrites a system file key with a modified version containing Trojan code. This modified key file hides under the original but manipulates outgoing wallet addresses to redirect them to the attacker’s control. The Exodus wallet faces a similar style of malicious assault, with the malware specifically targeting certain versions of both Atomic Wallet and Exodus Wallet. The attackers designed their attack in advance to synchronize with the specific formats of these versions.

Uninstalling the malicious npm package from the system does not restore the damage it caused, as the compromised wallet software remains infected. Infected wallet software fails to remove virus infections, allowing the funds to be continuously redirected. Users must undertake a complete deletion of their wallets from their computer before installing new versions to mitigate the risk. This attack demonstrates an increasing tendency towards cybercriminal behavior, with supply chain attacks being conducted through the open-source software platform npm. These vulnerabilities become more complex to identify because their objective is to infect software at development stages or when users install applications.

Additionally, the threat analysis included information about related security risks. It showed that 10 malevolent Visual Studio Code extensions succeeded in being uploaded. These extensions perform clandestine downloads of PowerShell scripts, which remove Windows security functions, create automatic execution schedules to operate indefinitely, and establish an XMRig cryptocurrency mining tool. The recent discoveries demonstrate that cybercriminals are continuously developing new techniques to rob crypto users. Development teams, together with users, need constant awareness, particularly during public registry package downloads. The swift changes in the software world demand routine maintenance for software protection and the preservation of funds.