Malicious npm Package Targets Crypto Wallets Like Exodus and Atomic

Security researchers at ReversingLabs have uncovered a new method attackers are using to steal cryptocurrency, this time through a seemingly harmless npm package. The attack involves planting malicious code in open-source libraries and replacing key wallet components without alerting users.

Good to know

• Attackers are targeting open-source repositories like npm to spread crypto wallet malware.
• The malicious package poses as a PDF-to-Office converter.
• The malware is distributed through a package listed on the npm repository that claims to convert PDF files to Microsoft Office formats.

Once installed, the package modifies local files tied to two widely used crypto wallets—Atomic and Exodus.

After the malware takes hold, it quietly replaces legitimate wallet files with modified ones. These new files reroute outgoing crypto transactions, redirecting funds to wallets controlled by the attacker rather than the intended recipients.

Even uninstalling the infected npm package doesn’t undo the damage. According to ReversingLabs, “The Web3 wallets’ software would remain compromised and continue to channel crypto funds to the attackers’ wallet.” The firm recommends users fully remove and reinstall the wallet applications to ensure any infected components are completely cleared.

The attack technique isn’t new but has gained traction because it’s easy to disguise. By injecting code into software repositories that developers and users trust, malicious actors can gain access to wallets without triggering antivirus alerts or system warnings.

The cybersecurity team at ReversingLabs says it’s seeing a pattern where trusted utility tools—like document converters—are being weaponized to blend into normal development environments. Once these tools are adopted, they silently inject code that targets financial software already installed on a user’s system.