Hackers Hijack Npm Packages to Steal Crypto Funds from Atomic and Exodus Wallets
A new and dangerous threat has emerged in the world of cryptocurrency, with hackers exploiting popular open-source tools to silently drain user funds. Cybersecurity researchers have uncovered a targeted malware campaign that manipulates npm (Node Package Manager) packages to infect cryptocurrency wallet applications like Atomic and Exodus, turning trusted software into silent thieves.
The attack highlights growing concerns around supply chain vulnerabilities in the software ecosystem, especially as threat actors become more creative and precise in their methods. The campaign begins innocently enough—developers or users install what appears to be a legitimate npm package, such as one named pdf-to-office. This package, like many others in the Node.js ecosystem, offers seemingly useful functionality. But hidden beneath the surface is malicious code designed to locate, tamper with, and hijack crypto wallet software.
Once installed on a system, the package quietly searches for known wallet applications. Its primary targets? The popular desktop wallets Atomic and Exodus. These apps, which are built using Electron (a framework that wraps web apps into desktop applications), are especially vulnerable to this type of tampering because of how their code is packaged. Here’s where it gets more sophisticated. The malware extracts the ASAR archive used by Electron apps—essentially the bundle that contains all the application’s files. Once extracted, it locates specific JavaScript files, often vendor files like vendors.64b69c3b00e2a7914733.js, and injects malicious payloads directly into them.
These payloads are engineered to intercept cryptocurrency transactions. So when an unsuspecting user sends funds using their wallet, the malicious code quietly swaps the destination wallet address with one controlled by the attackers. The user receives no warning, and the funds vanish, irretrievably, into a hacker’s pocket. To make matters worse, after the injection is complete, the package neatly repacks the files, leaving no visible signs of tampering. Everything continues to run as expected, making the malware extremely difficult for the average user to detect.
This type of attack is especially dangerous because it weaponizes trust—users think they’re installing legitimate tools, and even experienced developers may not notice anything amiss until it’s too late. Security experts are now urging developers and end-users to take several precautions: only install npm packages from verified, reputable authors, conduct regular audits of project dependencies, use tools to scan for suspicious or obfuscated code, and stay updated on known vulnerabilities, especially those affecting cryptocurrency tools and wallets.
The software supply chain has become one of the most vulnerable entry points for cybercriminals, and this incident is a stark reminder that crypto users are high-value targets. As cryptocurrency adoption grows, so does the sophistication of attacks aimed at stealing it. This isn’t just about wallet users losing money, it’s about trust in the infrastructure behind crypto. Open-source platforms like npm are incredible tools, but they also open doors for manipulation when oversight is lacking. To protect the crypto ecosystem, more robust security practices, and better community awareness, are urgently needed.
Hackers have been targeting cryptocurrency users by hijacking legitimate npm packages, injecting malicious code to redirect funds from cryptocurrency wallets. This sophisticated software supply chain attack highlights the growing threat to users' digital assets. The npm package manager, commonly used by JavaScript and Node.js developers, has become a vector for these attacks, with threat actors exploiting the trust placed in these packages to distribute malware. The malicious campaign specifically targets Atomic and Exodus wallets, two popular cryptocurrency storage solutions. By compromising the npm packages, hackers are able to inject code that can steal funds directly from users' wallets. This method of attack is particularly insidious because it leverages the trust that developers and users have in the npm ecosystem, making it difficult to detect and prevent.
The discovery of this attack underscores the importance of vigilance in the cybersecurity landscape. As cryptocurrency continues to gain popularity, it becomes an increasingly attractive target for cybercriminals. Users and developers must remain cautious and implement robust security measures to protect their digital assets. This includes regularly updating software, using reputable sources for packages, and being wary of any unusual activity or requests for sensitive information. The incident serves as a reminder of the evolving nature of cyber threats and the need for continuous monitoring and adaptation in security practices. As the digital landscape becomes more complex, so too do the methods employed by hackers. It is crucial for the industry to stay ahead of these threats by investing in advanced security technologies and fostering a culture of cybersecurity awareness.
