Cybersecurity experts have uncovered a sophisticated malware campaign targeting cryptocurrency wallets, specifically affecting users of Ethereum (ETH), XRP, and Solana (SOL). The attackers have employed compromised Node Package Manager (NPM) packages—common tools used by software developers—to silently inject malicious code into popular wallet applications such as Atomic and Exodus.
The malware operates subtly and without the knowledge of the wallet owners. It begins its infection chain when unsuspecting developers incorporate seemingly legitimate NPM packages into their coding projects. One such compromised package identified by researchers is called “pdf-to-office.” Although designed to appear harmless, the package contains hidden code capable of scanning user devices to identify installed cryptocurrency wallet applications.
Once a wallet application is located, the malware extracts its installation files into a temporary directory, injects malicious code into critical portions of the wallet’s transaction-handling functions, and then repackages it. This technique enables the malware to redirect outbound cryptocurrency transactions to wallet addresses controlled by the attackers.
Researchers report that the malware specifically replaces the recipient addresses during transactions, encoding attacker-controlled addresses in base64 to avoid detection. Consequently, transactions appear normal within the wallet interface, giving users no immediate indication of the theft. It is only by examining the transaction details directly on the blockchain that affected individuals discover their assets have been diverted to an unknown address.
This malware campaign reflects a concerning escalation in software supply chain attacks aimed at cryptocurrency users, highlighting the growing sophistication and the discreet nature of these threats. Campaign operators are actively targeting several popular cryptocurrencies beyond Ethereum, including Tron-based USDT, XRP, and Solana. Through extensive technical analysis, cybersecurity firm ReversingLabs discovered multiple signs of malicious activity in these packages, including suspicious URLs, distinct code patterns, and advanced obfuscation methods designed specifically to evade detection.
Warnings have been issued urging developers to exercise vigilance when installing NPM packages and verify the authenticity of external libraries and components. Experts emphasize that heightened awareness and stringent vetting of third-party source code remain critical to safeguarding cryptocurrency assets against increasingly refined cyber theft schemes.
