{"id":50743,"date":"2025-04-15T08:38:17","date_gmt":"2025-04-15T08:38:17","guid":{"rendered":"https:\/\/crowdfundjunction.com\/blog\/malicious-npm-package-targets-crypto-wallets-like-exodus-and-atomic\/"},"modified":"2025-04-15T08:38:17","modified_gmt":"2025-04-15T08:38:17","slug":"malicious-npm-package-targets-crypto-wallets-like-exodus-and-atomic","status":"publish","type":"post","link":"https:\/\/crowdfundjunction.com\/blog\/malicious-npm-package-targets-crypto-wallets-like-exodus-and-atomic\/","title":{"rendered":"Malicious npm Package Targets Crypto Wallets Like Exodus and Atomic"},"content":{"rendered":"<p><b>(Originally posted on : Crypto News &#8211; iGaming.org )<\/b><br \/>\n<\/p>\n<div>\n<p>Security researchers at ReversingLabs have uncovered a new method attackers are using to steal cryptocurrency, this time through a seemingly harmless npm package. The attack involves planting malicious code in open-source libraries and replacing key wallet components without alerting users.<\/p>\n<hr\/>\n<p><em><strong>Good to know<\/strong><\/em><\/p>\n<ul>\n<li><em><strong>Attackers are targeting open-source repositories like npm to spread crypto wallet malware.<\/strong><\/em><\/li>\n<li><em><strong>The malicious package poses as a PDF-to-Office converter.<\/strong><\/em><\/li>\n<li><em><strong>The malware is distributed through a package listed on the npm repository that claims to convert PDF files to Microsoft Office formats.<\/strong><\/em><\/li>\n<\/ul>\n<hr\/>\n<p>Once installed, the package modifies local files tied to two widely used crypto wallets\u2014Atomic and Exodus.<\/p>\n<p>After the malware takes hold, it quietly replaces legitimate wallet files with modified ones. These new files reroute outgoing crypto transactions, redirecting funds to wallets controlled by the attacker rather than the intended recipients.<\/p>\n<p>Even uninstalling the infected npm package doesn\u2019t undo the damage. According to ReversingLabs, <em>\u201cThe Web3 wallets\u2019 software would remain compromised and continue to channel crypto funds to the attackers\u2019<\/em> wallet.\u201d The firm recommends users fully remove and reinstall the wallet applications to ensure any infected components are completely cleared.<\/p>\n<div class=\"main-org-3-item-ins box-100 relative mb-4\">\n<div class=\"space-org-3-items box-100 relative\">\n<div class=\"box-100 space-org-3-item relative border-tb mt-1 \">\n<div class=\"space-org-3-item-ins box-100 relative\">\n<div class=\"space-org-3-item-terms box-25 relative\">\n<div class=\"space-org-3-item-terms-ins box-100 text-center relative\"> <strong>177% up to 5BTC + 77 <strong> Free Spins<\/strong>!<\/strong> <\/p>\n<p>New players only. Exclusive Welcome Bonus of 177% + 77 Free Spins <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<p>The attack technique isn\u2019t new but has gained traction because it\u2019s easy to disguise. By injecting code into software repositories that developers and users trust, malicious actors can gain access to wallets without triggering antivirus alerts or system warnings.<\/p>\n<p>The cybersecurity team at ReversingLabs says it\u2019s seeing a pattern where trusted utility tools\u2014like document converters\u2014are being weaponized to blend into normal development environments. Once these tools are adopted, they silently inject code that targets financial software already installed on a user\u2019s system.<\/p>\n<\/p><\/div>\n<p><a href=\"https:\/\/igaming.org\/crypto\/crypto-wallet-users-targeted-through-npm-package-disguised-as-file-converter\/\">Source link <\/a><br \/>\n<br \/><\/p>\n","protected":false},"excerpt":{"rendered":"<p>(Originally posted on : Crypto News &#8211; iGaming.org ) Security researchers at ReversingLabs have uncovered a new method attackers are using to steal cryptocurrency, this time through a seemingly harmless npm package. The attack involves planting malicious code in open-source libraries and replacing key wallet components without alerting users. Good to know Attackers are targeting [&hellip;]<\/p>\n","protected":false},"author":5,"featured_media":50744,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"om_disable_all_campaigns":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0},"categories":[34],"tags":[],"_links":{"self":[{"href":"https:\/\/crowdfundjunction.com\/blog\/wp-json\/wp\/v2\/posts\/50743"}],"collection":[{"href":"https:\/\/crowdfundjunction.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/crowdfundjunction.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/crowdfundjunction.com\/blog\/wp-json\/wp\/v2\/users\/5"}],"replies":[{"embeddable":true,"href":"https:\/\/crowdfundjunction.com\/blog\/wp-json\/wp\/v2\/comments?post=50743"}],"version-history":[{"count":0,"href":"https:\/\/crowdfundjunction.com\/blog\/wp-json\/wp\/v2\/posts\/50743\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/crowdfundjunction.com\/blog\/wp-json\/wp\/v2\/media\/50744"}],"wp:attachment":[{"href":"https:\/\/crowdfundjunction.com\/blog\/wp-json\/wp\/v2\/media?parent=50743"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/crowdfundjunction.com\/blog\/wp-json\/wp\/v2\/categories?post=50743"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/crowdfundjunction.com\/blog\/wp-json\/wp\/v2\/tags?post=50743"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}