• Cyber Syrup
  • Posts
  • Malicious npm Package Targets Crypto Wallets in Sneaky Supply Chain Attack

Malicious npm Package Targets Crypto Wallets in Sneaky Supply Chain Attack

Cybersecurity researchers have uncovered a new software supply chain attack campaign involving the npm registry

April 11, 2025

In partnership with

CYBER SYRUP
Delivering the sweetest insights on cybersecurity.

Find out why 1M+ professionals read Superhuman AI daily.

In 2 years you will be working for AI

Or an AI will be working for you

Here's how you can future-proof yourself:

  1. Join the Superhuman AI newsletter – read by 1M+ people at top companies

  2. Master AI tools, tutorials, and news in just 3 minutes a day

  3. Become 10X more productive using AI

Join 1,000,000+ pros at companies like Google, Meta, and Amazon that are using AI to get ahead.

Malicious npm Package Targets Crypto Wallets in Sneaky Supply Chain Attack

Cybersecurity researchers have uncovered a new software supply chain attack campaign involving the npm registry, where malicious actors are uploading packages that mimic useful developer tools but are designed to tamper with installed software and execute malicious code on victim machines.

The latest example is a package named pdf-to-office, which pretends to be a utility for converting PDF files into Microsoft Office documents. In reality, it’s a trojanized component designed to compromise local cryptocurrency wallet installations—specifically targeting Atomic Wallet and Exodus Wallet users.

A Deceptive npm Package with Malicious Intent

According to researchers at ReversingLabs, the pdf-to-office package was first published to the npm registry on March 24, 2025, and has since undergone multiple updates. The most recent version, 1.1.2, was uploaded on April 8, and at the time of the report, remained publicly available.

While the package appears benign, closer analysis revealed that it checks the victim’s system for installed cryptocurrency wallets and, if detected, modifies their internal code to silently redirect crypto transactions to attacker-controlled wallets.

“A victim who tried to send crypto funds to another crypto wallet would have the intended wallet destination address swapped out for one belonging to the malicious actor,” said ReversingLabs researcher Lucija Valentić.

So far, the package has been downloaded 334 times, making it a relatively low-volume campaign but one that demonstrates dangerous persistence and targeted precision.

Technical Details: How the Attack Works

Once installed, the malicious pdf-to-office package inspects the system for files linked to Atomic Wallet and Exodus Wallet:

For Atomic Wallet:

  • It looks for the atomic/resources/app.asar file within the user's program data.

  • If found, it overwrites specific files inside the archive with trojanized versions that maintain legitimate functionality but replace outbound wallet addresses with a Base64-encoded Web3 wallet address controlled by the attacker.

For Exodus Wallet:

  • Similar tampering is performed on the src/app/ui/index.js file.

  • The attack specifically targets certain versions of both wallets:

    • Atomic Wallet: 2.91.5 and 2.90.6

    • Exodus Wallet: 25.13.3 and 25.9.2

This targeted approach ensures the correct JavaScript files are overwritten, preserving functionality and reducing the likelihood of detection.

“Even if the malicious package is later removed, the compromised crypto wallet software remains tampered with,” Valentić added. “The only true remediation is a complete removal and reinstall of the wallet application.”

Persistence Beyond Removal

What makes this attack particularly effective is its persistent nature. Once the wallets are modified, removing the pdf-to-office package doesn’t eliminate the threat. Users would need to completely delete and reinstall their cryptocurrency wallet applications to remove the malicious code.

This persistence mechanism mimics tactics seen in previous npm-based attacks, such as those involving ethers-provider2 and ethers-providerz, which established reverse shells on developer machines.

Related Threat: Malicious Visual Studio Code Extensions

This npm package discovery coincides with a separate report by ExtensionTotal, which uncovered 10 malicious Visual Studio Code (VS Code) extensions. These extensions were downloaded over a million times before being removed.

Malicious Extensions Included:

  • Prettier — Code for VSCode

  • Discord Rich Presence for VS Code

  • Rojo — Roblox Studio Sync

  • Solidity Compiler

  • Claude AI

  • Golang Compiler

  • ChatGPT Agent for VSCode

  • HTML Obfuscator

  • Python Obfuscator for VSCode

  • Rust Compiler for VSCode

These extensions secretly downloaded PowerShell scripts that:

  • Disabled Windows security features

  • Established persistence using scheduled tasks

  • Installed XMRig, a known cryptocurrency mining tool

“The attackers created a sophisticated multi-stage attack, even installing the legitimate extensions they impersonated to avoid raising suspicion,” ExtensionTotal said.

Final Thoughts: Supply Chain Threats on the Rise

The growing use of open-source software and community platforms like npm and Visual Studio Code Marketplace has made them prime targets for attackers. These campaigns underscore the importance of:

  • Verifying the authenticity of packages and extensions before installation

  • Monitoring for unexpected file changes in applications, especially those involving sensitive data like crypto wallets

  • Using endpoint security tools capable of detecting tampered files or persistent malware

As attackers become more sophisticated, supply chain security must be a top priority for developers and organizations alike.