Malicious npm Package Targets Atomic Wallet and Exodus Users with Crypto Address Swapping

Date: April 10, 2025
By: Ravie Lakshmanan
Category: Malware / Cryptocurrency

In a troubling development for cryptocurrency users, threat actors have uploaded a malicious package named pdf-to-office to the npm registry, which is designed to infiltrate associated software for leading cryptocurrency wallets, Atomic Wallet and Exodus. This malicious utility, disguised as a PDF conversion tool, has come to light amid ongoing concerns about software supply chain attacks aimed at compromising user security.

The Attack Unveiled

The pdf-to-office package was first made available on March 24, 2025, and has since received three updates—though earlier versions may have been removed by the authors for undisclosed reasons. The most recent version, 1.1.2, was uploaded on April 8 and has been downloaded approximately 334 times to date.

Lucija Valentić, a researcher at ReversingLabs, reported that this malicious package allows attackers to swap cryptocurrency wallet addresses during transactions. Specifically, when a victim attempts to send crypto funds, the malware replaces the intended wallet address with one belonging to the malicious actor. This technique enables threat actors to divert funds to their own wallets without the victim’s knowledge.

Technical Mechanics

Upon analysis, the pdf-to-office package has been found to contain malicious code that checks for the presence of a specific file structure associated with Atomic Wallet on the victim’s Windows computer. If detected, the code introduces a functionality known as clipper, which modifications outgoing crypto addresses.

To carry out this attack, the code specifically targets JavaScript files within the wallet software. For Atomic Wallet, it looks for the "atomic/resources/app.asar" archive, while for Exodus, it targets "src/app/ui/index.js." The malicious code ensures that only particular versions of both software wallets—Atomic Wallet versions 2.91.5 and 2.90.6, and Exodus versions 25.13.3 and 25.9.2—are compromised.

"If the pdf-to-office package were to be removed from the system, the malicious changes would remain intact, allowing attackers to continue siphoning funds," Valentić explained. "Complete removal of the malicious influence would only come from entirely uninstalling and reinstalling the affected software."

Broader Context of Cyber Threats

This incident comes shortly after the announcement of two other malicious npm packages, ethers-provider2 and ethers-providerz, found to establish reverse shells for remote connection to attacker servers. Such tactics highlight an alarming trend where threats are becoming more sophisticated, with malicious actors embedding themselves in legitimate development environments.

In another recent incident, cybercriminals employed ten malicious Visual Studio Code extensions, stealthily using them to download PowerShell scripts that disable Windows security features. These were also designed for cryptocurrency mining without users’ consent.

With the growing prevalence of software supply chain attacks and the need for increased vigilance, both developers and users are urged to exercise caution when downloading packages from npm and similar repositories. Ensuring that software installations come from verified sources and remaining updated on security measures is critical for protecting personal and financial information in an ever-evolving digital landscape.

Conclusion

As cybersecurity threats continue to evolve, it becomes essential for individuals and organizations alike to remain informed and proactive. Continuous monitoring of system integrity, regular updates, and a cautious approach to software downloads can significantly mitigate risks associated with such malicious activities.

For latest updates and insights, follow us on Twitter and LinkedIn.

Share this article: