A new attack targeting cryptocurrency users has emerged through the npm registry, where threat actors upload malicious packages. These packages, masquerading as useful tools, secretly inject harmful code into cryptocurrency wallet software. The latest package, pdf-to-office, appears as a converter for PDF files but instead modifies the files of wallets like Atomic Wallet and Exodus. Once installed, it alters cryptocurrency transaction addresses, directing funds to attackers.
The package, published in March 2025, has received multiple updates, with the latest version uploaded in April.
The malicious code checks for the presence of specific wallet files in the system to target vulnerable installations. If found, it replaces the legitimate files with trojanized versions, swapping outgoing transaction addresses. This allows the attacker to silently redirect cryptocurrency funds without raising suspicion.
One major concern is the persistence of the attack. Even if the malicious package is removed, the infected wallet software remains compromised, continuing to channel funds to the attacker’s address. Affected users would need to completely remove and reinstall their wallet software to eliminate the threat. This attack highlights the risks of software supply chain vulnerabilities, especially when malicious packages evade detection and continue functioning even after removal.
This attack follows a similar campaign earlier in March, which targeted npm packages and infected local installations with reverse shell payloads.
The cryptocurrency sector faces increasing risks from sophisticated software supply chain attacks, emphasizing the need for better security practices. Software developers and users must be vigilant, adopting thorough monitoring systems to mitigate such risks.
