Researchers have uncovered a malicious software package on npm that altered users’ Atom Wallet and Exodus Wallet installations, allowing threat actors to reroute crypto transactions. The campaign, utilizing the pdf-to-office npm package, demonstrated a shift in tactics towards targeting locally installed trusted software rather than open-source libraries directly. Attackers patched key application files to redirect transactions to wallets controlled by them. The malicious code persisted even after the npm package was removed, necessitating a full wallet reinstallation to eliminate the threat.
The pdf-to-office package, uploaded to npm in March, masqueraded as a PDF to Office file conversion library but actually contained obfuscated code to target specific versions of Atomic and Exodus wallets. Attackers replaced legitimate files with trojanized versions inside the wallet application, redirecting outgoing crypto transactions to their wallets. ReversingLabs identified targeted versions such as 2.90.6 and 2.91.5 for Atomic Wallet and 25.9.2 and 25.13.3 for Exodus Wallet. The malware also exhibited persistence and obfuscation techniques, sending data to attacker-controlled IP addresses and exfiltrating logs from AnyDesk remote access software to potentially cover their tracks.
This discovery is part of a broader trend in evolving supply chain threats that particularly impact the crypto space. A previous campaign in March patched the ethers npm package to establish reverse shells, highlighting the increasing complexity of attacks targeting web3 environments. ReversingLabs emphasized the importance of constant vigilance and auditing of locally installed dependencies, as attackers are leveraging social engineering and indirect infection methods to exploit organizations’ vulnerabilities. Once a package is installed and the patch is applied, the threat remains even if the source npm module is removed, underscoring the need for thorough security measures.
ReversingLabs’ machine-learning algorithms detected the malicious package under Threat Hunting policy TH15502 and it has since been removed from npm. However, a republished version briefly resurfaced, indicating the persistence of threat actors in distributing the malware. Investigators have shared hashes of affected files and wallet addresses used by attackers as indicators of compromise. With software supply chain attacks becoming more frequent and sophisticated, security experts are urging for stricter code auditing, dependency management, and real-time monitoring of local application changes to mitigate risks in the digital asset space.
In light of the pdf-to-office npm package attack targeting Atomic and Exodus wallets, security researchers have flagged the increasing threat of supply chain attacks in the crypto industry. The campaign involved a deceptive package uploaded to npm that covertly altered locally installed wallet software, allowing hackers to intercept and redirect crypto transactions. By patching key application files with malicious code, attackers were able to siphon funds to wallets controlled by them, even after the original npm package was deleted. This incident highlights the need for heightened security measures in auditing and monitoring dependencies to protect against evolving threats in the digital asset space.
The pdf-to-office npm package campaign, discovered by ReversingLabs, exemplifies a shift in tactics where attackers are targeting locally installed trusted software rather than direct compromise of open-source libraries. The package, posing as a PDF conversion tool, actually contained obfuscated code that specifically targeted Atomic and Exodus wallets, replacing legitimate files with trojanized versions to reroute crypto transactions. Hackers demonstrated persistence and obfuscation techniques by sending data to attacker-controlled IP addresses and exfiltrating logs from remote access software, indicating a sophisticated approach to covering their tracks. The recurring nature of supply chain attacks in the crypto space underscores the importance of ongoing vigilance and proactive security measures to safeguard against malicious threats.
The discovery of the pdf-to-office npm package campaign targeting Atomic and Exodus wallets highlights the growing complexity of supply chain attacks in the crypto industry. By patching key application files with stealthy malware, attackers were able to redirect crypto transactions to wallets under their control, even after the original npm package was removed. ReversingLabs identified the campaign as part of a broader trend where threat actors are increasingly targeting locally installed trusted software, rather than open-source libraries directly, to exploit vulnerabilities. This incident underscores the need for continuous auditing and monitoring of dependencies to mitigate risks in the digital asset space and protect against evolving threats from sophisticated hackers.
