Crypto Users Targeted as Hackers Hijack Legitimate npm Packages

A new and dangerous threat has emerged in the world of cryptocurrency, with hackers exploiting popular open-source tools to silently drain user funds. Cybersecurity researchers have uncovered a targeted malware campaign that manipulates npm (Node Package Manager) packages to infect cryptocurrency wallet applications like Atomic and Exodus, turning trusted software into silent thieves.

The attack highlights growing concerns around supply chain vulnerabilities in the software ecosystem, especially as threat actors become more creative and precise in their methods.

Sneaky npm Packages Masquerading as Useful Tools

The campaign begins innocently enough—developers or users install what appears to be a legitimate npm package, such as one named pdf-to-office. This package, like many others in the Node.js ecosystem, offers seemingly useful functionality. But hidden beneath the surface is malicious code designed to locate, tamper with, and hijack crypto wallet software.

Once installed on a system, the package quietly searches for known wallet applications. Its primary targets? The popular desktop wallets Atomic and Exodus. These apps, which are built using Electron (a framework that wraps web apps into desktop applications), are especially vulnerable to this type of tampering because of how their code is packaged.

Malware Injects Itself Into Wallet Code

Here’s where it gets more sophisticated. The malware extracts the ASAR archive used by Electron apps—essentially the bundle that contains all the application’s files. Once extracted, it locates specific JavaScript files, often vendor files like vendors.64b69c3b00e2a7914733.js, and injects malicious payloads directly into them.

These payloads are engineered to intercept cryptocurrency transactions. So when an unsuspecting user sends funds using their wallet, the malicious code quietly swaps the destination wallet address with one controlled by the attackers. The user receives no warning, and the funds vanish, irretrievably, into a hacker’s pocket.

To make matters worse, after the injection is complete, the package neatly repacks the files, leaving no visible signs of tampering. Everything continues to run as expected, making the malware extremely difficult for the average user to detect.

Crypto Theft on the Rise – Here’s How to Stay Safe

This type of attack is especially dangerous because it weaponizes trust—users think they’re installing legitimate tools, and even experienced developers may not notice anything amiss until it’s too late.

Security experts are now urging developers and end-users to take several precautions:

• Only install npm packages from verified, reputable authors.
  
• Conduct regular audits of project dependencies.
  
• Use tools to scan for suspicious or obfuscated code.
  
• Stay updated on known vulnerabilities, especially those affecting cryptocurrency tools and wallets.
  

The software supply chain has become one of the most vulnerable entry points for cybercriminals, and this incident is a stark reminder that crypto users are high-value targets.

The Bigger Picture: Protecting the Ecosystem

As cryptocurrency adoption grows, so does the sophistication of attacks aimed at stealing it. This isn’t just about wallet users losing money, it’s about trust in the infrastructure behind crypto.

Open-source platforms like npm are incredible tools, but they also open doors for manipulation when oversight is lacking. To protect the crypto ecosystem, more robust security practices, and better community awareness, are urgently needed.