Atomic and Exodus crypto wallets targeted in malicious npm campaign

April 14, 2025, 5:17 p.m.

Description

A malicious npm package named pdf-to-office was discovered targeting cryptocurrency wallets. The package, posing as a PDF to Office converter, injects malicious code into locally installed Atomic and Exodus wallets. This attack modifies legitimate files to redirect crypto funds to the attacker's wallet. The campaign shows persistence, as removing the malicious package doesn't remove the injected code from the wallets. Multiple versions of both wallets were targeted, with the attackers adapting their code accordingly. This incident highlights the growing scope of software supply chain risks, particularly in the cryptocurrency industry, and emphasizes the need for improved monitoring of both source code repositories and locally deployed applications.

External References

https://securityboulevard.com/2025/04/atomic-and-exodus-crypto-wallets-targeted-in-malicious-npm-campaign/
https://otx.alienvault.com/pulse/67fd41f7af4b02a0fd75fb69
Tags
cryptocurrency
persistence
npm
atomic
software supply chain
exodus
patching
2025-04-10
wallet
2025-04-14
trojanized code
atomic wallet

Date

  • Created: April 14, 2025, 5:12 p.m.
  • Published: April 14, 2025, 5:12 p.m.
  • Modified: April 14, 2025, 5:17 p.m.

Indicators

  • 178.156.149.109
Download all indicators here!

Attack Patterns

Additional Informations

  • Technology
  • Finance
  • 18u6Tpa6oN4wyL9i1Ry6Cx3wsLkRd7waom
  • 12xe39N4h4T5qPHSuPQVjg5HM6SVs9hf42