Researchers have discovered a malicious software package uploaded to npm that secretly alters locally installed versions of crypto wallets and allows attackers to intercept and reroute digital currency transactions, ReversingLabs revealed in a recent report.
The campaign injected trojanized code into locally installed Atomic and Exodus wallet software and hijacked crypto transfers. The attack centered on a deceptive npm package, pdf-to-office, which posed as a library for converting PDF files to Office formats.
When executed, the package silently located and modified specific versions of Atomic and Exodus wallets on victims’ machines, redirecting outgoing crypto transactions to wallets controlled by threat actors.
ReversingLabs said the campaign exemplifies a broader shift in tactics: rather than directly compromising open-source libraries, which often triggers swift community responses, attackers are increasingly distributing packages designed to “patch” local installations of trusted software with stealthy malware.
Targeted file patching
The pdf-to-office package was first uploaded to npm in March and updated multiple times through early April. Despite its stated function, the package lacked actual file conversion features.
Instead, its core script executed obfuscated code that searched for local installations of Atomic Wallet and Exodus Wallet and overwrote key application files with malicious variants.
The attackers replaced legitimate JavaScript files inside the resources/app.asar archive with near-identical trojanized versions that substituted the user’s intended recipient address with a base64-decoded wallet belonging to the attacker.
For Atomic Wallet, versions 2.90.6 and 2.91.5 were specifically targeted. Meanwhile, a similar method was applied to Exodus Wallet versions 25.9.2 and 25.13.3.
Once modified, the infected wallets would continue redirecting funds even if the original npm package was deleted. Full removal and reinstallation of the wallet software were required to eliminate the malicious code.
ReversingLabs also noted the malware’s attempts at persistence and obfuscation. Infected systems sent installation status data to an attacker-controlled IP address (178.156.149.109), and in some cases, zipped logs and trace files from AnyDesk remote access software were exfiltrated, suggesting an interest in deeper system infiltration or evidence removal.
Expanding software supply chain threats
The discovery follows a similar March campaign involving ethers-provider2 and ethers-providerz, which patched the ethers npm package to establish reverse shells. Both incidents highlight the rising complexity of supply chain attacks targeting the crypto space.
ReversingLabs warned that these threats continue to evolve, especially in web3 environments where local installations of open-source packages are common. Attackers increasingly rely on social engineering and indirect infection methods, knowing that most organizations fail to scrutinize already installed dependencies.
According to the report:
“This kind of patching attack remains viable because once the package is installed and the patch is applied, the threat persists even if the source npm module is removed.”
The malicious package was flagged by ReversingLabs’ machine-learning algorithms under Threat Hunting policy TH15502. It has since been removed from npm, but a republished version under the same name and version 1.1.2 briefly reappeared, indicating the threat actor’s persistence.
Investigators published hashes of affected files and wallet addresses used by the attackers as indicators of compromise (IOCs). These include wallets used for illicit fund redirection, as well as the SHA1 fingerprints of all infected package versions and associated trojanized files.
As software supply chain attacks become more frequent and technically refined, especially in the digital asset space, security experts are calling for stricter code auditing, dependency management, and real-time monitoring of local application changes.
Mentioned in this article
