Cybersecurity researchers recently unearthed a deceptive npm package, nodejs-smtp, that poses as the well-known email library nodemailer. The malicious package, uploaded by a user named “nikotimon,” was designed with an identical tagline, page styling, and README descriptions to attract unsuspecting developers. With 347 downloads before it was removed from the npm registry, its main purpose was to act as a cryptocurrency clipper by targeting popular desktop wallets such as Atomic and Exodus on Windows systems. The deceptive package even maintained its stated SMTP-based mailer functionality, which helped it avoid suspicion and ensured that developers’ application tests would still pass.
The primary mechanism of the malicious package involves abusing Electron tooling, a framework used to build desktop applications with web technologies. When imported, the package automatically unpacks the targeted application’s app.asar archive, which is essentially the application’s core code and assets. It then replaces a specific vendor bundle with its own malicious payload. After the code injection is complete, the package repacks the application and deletes its temporary working directories to remove any traces of the compromise. This sophisticated process allows the malicious code to be injected discreetly and persist across system reboots, making it a persistent threat to the affected applications.
The core objective of the injected malicious code is to intercept and redirect cryptocurrency transactions. By acting as a clipper, the payload is designed to overwrite the legitimate recipient’s address with a hard-coded wallet address controlled by the threat actor. This functionality allows the attacker to hijack various cryptocurrency transactions, including Bitcoin (BTC), Ethereum (ETH), Tether (USDT and TRX USDT), XRP (XRP), and Solana (SOL). Instead of the funds going to the intended recipient, they are rerouted to the attacker’s wallet, effectively draining the user’s funds without them realizing the compromise until it is too late.
This discovery is not an isolated incident. Months before this campaign, another malicious npm package, pdf-to-office, was found to employ a similar strategy. That package also unpacked the app.asar archives of Atomic and Exodus wallets and modified a JavaScript file within them to introduce a clipper function. This pattern suggests a recurring and evolving threat where attackers are exploiting developer workflows and the trust in package repositories like npm to distribute malware. These campaigns highlight the need for developers to exercise caution and thoroughly vet any third-party dependencies they integrate into their projects.
The incident serves as a significant warning about the risks associated with supply chain attacks in the software development ecosystem. As noted by Socket researcher Kirill Boychenko, the campaign demonstrates how a routine import can quietly and permanently modify a separate desktop application, turning a seemingly innocuous mailer library into a wallet drainer. This type of attack underscores the importance of robust security practices, including using tools that can analyze dependencies for malicious behavior and maintaining strict control over what code is allowed to execute during the build and import process.
Reference: