Malicious npm Package Hijacks Crypto Wallets, Redirects Funds

Researchers have uncovered a malicious software package uploaded to npm that covertly modifies locally installed versions of Atomic and Exodus wallets, enabling attackers to intercept and reroute digital currency transactions. This discovery was detailed in a recent report by ReversingLabs.

The campaign involved injecting trojanized code into the Atomic and Exodus wallet software, hijacking crypto transfers. The attack was centered around a deceptive npm package named pdf-to-office, which was presented as a library for converting PDF files to Office formats. However, the package lacked any actual file conversion features.

When executed, the package silently located and modified specific versions of Atomic and Exodus wallets on victims’ machines. It redirected outgoing crypto transactions to wallets controlled by threat actors. The attackers replaced legitimate JavaScript files inside the resources/app.asar archive with near-identical trojanized versions that substituted the user’s intended recipient address with a base64-decoded wallet belonging to the attacker.

For Atomic Wallet, versions 2.90.6 and 2.91.5 were specifically targeted. A similar method was applied to Exodus Wallet versions 25.9.2 and 25.13.3. Once modified, the infected wallets would continue redirecting funds even if the original npm package was deleted. Full removal and reinstallation of the wallet software were required to eliminate the malicious code.

ReversingLabs noted the malware’s attempts at persistence and obfuscation. Infected systems sent installation status data to an attacker-controlled IP address, and in some cases, zipped logs and trace files from AnyDesk remote access software were exfiltrated, suggesting an interest in deeper system infiltration or evidence removal.

The discovery follows a similar March campaign involving ethers-provider2 and ethers-providerz, which patched the ethers npm package to establish reverse shells. Both incidents highlight the rising complexity of supply chain attacks targeting the crypto space. ReversingLabs warned that these threats continue to evolve, especially in web3 environments where local installations of open-source packages are common.

Attackers increasingly rely on social engineering and indirect infection methods, knowing that most organizations fail to scrutinize already installed dependencies. According to the report, “This kind of patching attack remains viable because once the package is installed and the patch is applied, the threat persists even if the source npm module is removed.”

The malicious package was flagged by ReversingLabs’ machine-learning algorithms under Threat Hunting policy TH15502. It has since been removed from npm, but a republished version under the same name and version 1.1.2 briefly reappeared, indicating the threat actor’s persistence.

Investigators published hashes of affected files and wallet addresses used by the attackers as indicators of compromise (IOCs). These include wallets used for illicit fund redirection, as well as the SHA1 fingerprints of all infected package versions and associated trojanized files.

As software supply chain attacks become more frequent and technically refined, especially in the digital asset space, security experts are calling for stricter code auditing, dependency management, and real-time monitoring of local application changes. This incident underscores the need for heightened vigilance and robust security measures to protect against such sophisticated threats.