Menu

  • Alerts
  • Incidents
  • News
  • APTs
  • Cyber Decoded
  • Cyber Hygiene
  • Cyber Review
  • Cyber Tips
  • Definitions
  • Malware
  • Threat Actors
  • Tutorials

Useful Tools

  • Password generator
  • Report an incident
  • Report to authorities
No Result
View All Result
CTF Hack Havoc
CyberMaterial
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
Hall of Hacks
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
No Result
View All Result
Hall of Hacks
CyberMaterial
No Result
View All Result
Home Alerts

Malicious Npm Package Mimics Nodemailer

September 4, 2025
Reading Time: 3 mins read
in Alerts
WhatsApp Scam Lets Hackers Hijack Chats

Cybersecurity researchers recently unearthed a deceptive npm package, nodejs-smtp, that poses as the well-known email library nodemailer. The malicious package, uploaded by a user named “nikotimon,” was designed with an identical tagline, page styling, and README descriptions to attract unsuspecting developers. With 347 downloads before it was removed from the npm registry, its main purpose was to act as a cryptocurrency clipper by targeting popular desktop wallets such as Atomic and Exodus on Windows systems. The deceptive package even maintained its stated SMTP-based mailer functionality, which helped it avoid suspicion and ensured that developers’ application tests would still pass.

The primary mechanism of the malicious package involves abusing Electron tooling, a framework used to build desktop applications with web technologies. When imported, the package automatically unpacks the targeted application’s app.asar archive, which is essentially the application’s core code and assets. It then replaces a specific vendor bundle with its own malicious payload. After the code injection is complete, the package repacks the application and deletes its temporary working directories to remove any traces of the compromise. This sophisticated process allows the malicious code to be injected discreetly and persist across system reboots, making it a persistent threat to the affected applications.

The core objective of the injected malicious code is to intercept and redirect cryptocurrency transactions. By acting as a clipper, the payload is designed to overwrite the legitimate recipient’s address with a hard-coded wallet address controlled by the threat actor. This functionality allows the attacker to hijack various cryptocurrency transactions, including Bitcoin (BTC), Ethereum (ETH), Tether (USDT and TRX USDT), XRP (XRP), and Solana (SOL). Instead of the funds going to the intended recipient, they are rerouted to the attacker’s wallet, effectively draining the user’s funds without them realizing the compromise until it is too late.

This discovery is not an isolated incident. Months before this campaign, another malicious npm package, pdf-to-office, was found to employ a similar strategy. That package also unpacked the app.asar archives of Atomic and Exodus wallets and modified a JavaScript file within them to introduce a clipper function. This pattern suggests a recurring and evolving threat where attackers are exploiting developer workflows and the trust in package repositories like npm to distribute malware. These campaigns highlight the need for developers to exercise caution and thoroughly vet any third-party dependencies they integrate into their projects.

The incident serves as a significant warning about the risks associated with supply chain attacks in the software development ecosystem. As noted by Socket researcher Kirill Boychenko, the campaign demonstrates how a routine import can quietly and permanently modify a separate desktop application, turning a seemingly innocuous mailer library into a wallet drainer. This type of attack underscores the importance of robust security practices, including using tools that can analyze dependencies for malicious behavior and maintaining strict control over what code is allowed to execute during the build and import process.

Reference:

  • Malicious Npm Package Nodejs Smtp Mimics Nodemailer And Targets Crypto Wallets
Tags: Cyber AlertsCyber Alerts 2025CyberattackCybersecuritySeptember 2025
ADVERTISEMENT

Related Posts

Lazarus Hackers Exploit ZeroDay, Deploy Rats

Lazarus Hackers Exploit ZeroDay, Deploy Rats

September 4, 2025
Lazarus Hackers Exploit ZeroDay, Deploy Rats

CISA Flags TP Link Router Flaws

September 4, 2025
Lazarus Hackers Exploit ZeroDay, Deploy Rats

Google Patches 120 Flaws In Android

September 4, 2025
WhatsApp Scam Lets Hackers Hijack Chats

WhatsApp Scam Lets Hackers Hijack Chats

September 4, 2025
WhatsApp Scam Lets Hackers Hijack Chats

Android Droppers Turn Into Malware Tools

September 4, 2025
Sitecore Exploit Chain Warning

High Risk SQLi In WordPress Plugin

September 2, 2025

Latest Alerts

CISA Flags TP Link Router Flaws

Lazarus Hackers Exploit ZeroDay, Deploy Rats

Google Patches 120 Flaws In Android

WhatsApp Scam Lets Hackers Hijack Chats

Malicious Npm Package Mimics Nodemailer

Android Droppers Turn Into Malware Tools

Subscribe to our newsletter

    Latest Incidents

    Salesloft Drift Attacks Hits Vendors

    Jaguar Land Rover Hit By Cyber Incident

    Hackers Use Grok Ai To Spread Malware

    Austria Ministry Reports Email Breach

    Hackers Breach Fintech In Bank Heist Try

    Ransomware Hits Pennsylvania AG Office

    CyberMaterial Logo
    • About Us
    • Contact Us
    • Jobs
    • Legal and Privacy Policy
    • Site Map

    © 2025 | CyberMaterial | All rights reserved

    Welcome Back!

    Login to your account below

    Forgotten Password?

    Retrieve your password

    Please enter your username or email address to reset your password.

    Log In

    Add New Playlist

    No Result
    View All Result
    • Alerts
    • Incidents
    • News
    • Cyber Decoded
    • Cyber Hygiene
    • Cyber Review
    • Definitions
    • Malware
    • Cyber Tips
    • Tutorials
    • Advanced Persistent Threats
    • Threat Actors
    • Report an incident
    • Password Generator
    • About Us
    • Contact Us
    • Advertise with us

    Copyright © 2025 CyberMaterial