Fake npm Package Steals Crypto by Targeting Atomic Wallet and Exodus Users
Attackers are using a stealthier approach to software supply chain attacks, injecting malicious code into the npm registry to replace legitimate libraries on users' machines. This new tactic targets cryptocurrency users, specifically those with Atomic Wallet and Exodus, by swapping out their crypto addresses with attacker-controlled ones to divert funds.
Cybersecurity researchers have uncovered a new, stealthy tactic being used by hackers: injecting malicious code into existing software libraries through the npm registry. The goal? To compromise software supply chains and steal cryptocurrency.
This time, the culprit is a package called pdf-to-office. Sounds innocent enough, right? It claims to convert PDF files into Microsoft Word documents. But under the hood, it's designed to inject malicious code into popular cryptocurrency wallets like Atomic Wallet and Exodus.
"Imagine trying to send crypto, but the destination address is secretly swapped with the attacker's," explains Lucija Valentić, a researcher at ReversingLabs. That's exactly what this malware does. Valentić shared her findings with The Hacker News.
The package first appeared on March 24, 2025, and has been updated a few times since. It's been downloaded over 300 times so far. Scary, huh?
This discovery comes hot on the heels of two other malicious npm packages, ethers-provider2 and ethers-providerz, which were designed to infect local packages and create a backdoor for attackers.
Why is this approach so appealing to hackers? Because even if you remove the malicious package, the malware can stick around on your system.
How the Attack Works
The "pdf-to-office" package checks if Atomic Wallet is installed by looking for the "atomic/resources/app.asar" archive. If it finds it, it replaces a legitimate file with a modified version that secretly redirects crypto transactions to the attacker's wallet. This is a classic "clipper" attack.
Similarly, it targets the "src/app/ui/index.js" file in Exodus wallet.
Interestingly, the attack targets specific versions of Atomic Wallet (2.91.5 and 2.90.6) and Exodus (25.13.3 and 25.9.2) to ensure the correct files are compromised.
Even if you remove the "pdf-to-office" package, your wallet remains compromised! The only way to fix it is to completely uninstall and reinstall your crypto wallet software, according to Valentić.
VS Code Extensions Also Under Attack
In related news, ExtensionTotal recently uncovered 10 malicious Visual Studio Code extensions that were secretly installing cryptominers and disabling Windows security. These extensions were installed over a million times before being taken down!
Here are the names of the malicious extensions:
- Prettier — Code for VSCode (by prettier)
- Discord Rich Presence for VS Code (by Mark H)
- Rojo — Roblox Studio Sync (by evaera)
- Solidity Compiler (by VSCode Developer)
- Claude AI (by Mark H)
- Golang Compiler (by Mark H)
- ChatGPT Agent for VSCode (by Mark H)
- HTML Obfuscator (by Mark H)
- Python Obfuscator for VSCode (by Mark H)
- Rust Compiler for VSCode (by Mark H)
According to ExtensionTotal, the attackers were sneaky, even installing legitimate versions of the extensions they were impersonating to avoid suspicion.
