Threat actors are injecting malicious codes into legitimate crypto projects

Malicious actors are now injecting malicious codes into legitimate projects to steal digital assets from unsuspecting users. According to reports, cybersecurity researchers have uncovered a sophisticated malware campaign that is targeting crypto users through compromised npm packages.

According to the report, the attack specifically targets users of the Atomic and Exodus wallets, with the attacker hijacking transactions by injecting malicious codes that redirect funds to the attacker’s wallet. The latest campaign is in line with the ongoing chain of attacks against crypto users through software supply chain attacks.

The origin of the attack is usually from the developers, with most of them unknowingly installing the compromised npm packages in their projects. One such package identified in this campaign is “pdf-to-office,” which appears normally and looks legitimate but contains hidden malicious codes. After it is installed, the package scans the user’s device for installed crypto wallets and injects the malicious code that is capable of intercepting and redirecting transactions without the user’s knowledge.

Cybersecurity researchers flag malicious codes targeting crypto wallets

The impact of this attack is very dire for victims, with the malicious codes capable of silently redirecting crypto transactions to the wallets controlled by the attacker. These attacks work across several digital assets, including Ethereum, Solana, XRP, and Tron-based USDT. The malware effectively carries out this attack, switching the wallet addresses from the legitimate one to the attacker-controlled address at the moment that a user wants to send funds.

The malicious campaign was discovered by ReversingLabs researchers through their analysis of suspicious npm packages. The researchers mentioned that there are so many tell signs of malicious behaviors including the suspicious URL connections and code patterns similar to previously discovered malicious packages. They mentioned that there have been a number of campaigns that have attempted to use the malicious code this week. They believe that the attackers are using this technique to maintain persistence and evade detection.

“Most recently, a campaign launched on April 1 published a package, pdf-to-office, to the npm package manager that posed as a library for converting PDF format files to Microsoft Office documents. When executed, the package injected malicious code into legitimate, locally-installed crypto wallet software Atomic Wallet and Exodus, overwriting existing, non-malicious files in the process,” ReversingLabs said.

Infection mechanism and code injection

According to technical examination, the attack is multi-stage and begins when a user installs the package. The rest happens when they proceed through wallet identification, file extraction, malicious code injection, and ultimately transaction hijacking. The attackers also use obfuscation techniques to hide their intentions, making it hard for traditional tools to pick it up, making it too late by the time the user discovers.

After installation, the infection begins when the malicious package executes its payload targeting installed wallet software. The code identifies the location of the wallet’s application files before targeting the ASAR package format used by Electron-based applications. The code specifically searches for files in paths such as “AppData/Local/Programs/atomic/resources/app.asar”. Once it locates it, the malware extracts the application archive, injects its malicious code, and then rebuilds the archive.

The injections specifically target JavaScript files that are inside the wallet software, especially vendor files like “vendors.64b69c3b00e2a7914733.js”. The malware then modifies the transaction handling code to replace the real wallet addresses with the ones belonging to the attacker using the base64 encoding. For example, when a user tries to send Ethereum, the code replaces the recipient address with a decoded version of the address.

After the infection is completed, the malware communicates using a command-and-control server, sending installation status information including the user’s home directory path. This allows the attacker to track successful infections and potentially gather information about the compromised systems. According to ReversingLabs, the malicious path has also shown evidence of persistence, with the Web3 wallet on systems still infected even when the package has been removed.

Cryptopolitan Academy: Coming Soon - A New Way to Earn Passive Income with DeFi in 2025. Learn More