Another Malicious NPM Campaign Targets Atomic and Exodus Wallet

Threat actors are deploying different techniques to hijack legitimate crypto packages and swindle people’s assets for Web3 wallets. This act increases with the increase of digital assets users.

Recently, the ReversingLabs (RL) research team uncovered another malicious package uploaded to the npm registry targeting Atomic and Exodus wallets. The cybercriminals upload malicious software packages to local versions of legitimate libraries.

RL detected that the attackers adopt a malicious payload that injects trojan files inside legitimate locally installed Exodus and Atomic wallets.

Specifically, they target Atomic Wallet 2.91.5 and 2.90.6 versions. The malicious files overwrite the original file no matter the installed version.

The attacks allow the threat actors to intercept cryptocurrency transfers by swapping users’ copied wallet addresses for theirs and making them appear unchanged to the users, as most users copy and paste their addresses instead of typing them.

In fact, the Trojan files don’t cease to operate even after their removal. The effective way to get them eliminated completely is to remove and reinstall the affected wallet software.

The attacks also give room to access other private information, like private keys.

“We also observed what appears to be an effort by the malicious actors to cover their tracks and thwart incident response efforts, or simply to exfiltrate even more information,” Lucija Valentić, Software Threat Researcher at ReversingLabs said.

The Hackers Use New Tactics to Hide Their Attacks

Notably, the open-source software (OSS) developer community stated that hijacking open-source packages is a challenge for the attackers because the attacks are noticed immediately.

In response, threat actors are employing other tactics that blur their attack and make it long-lived.

“One of the new strategies is to upload packages to popular OSS repositories that are designed to apply malicious “patches” to local versions of legitimate libraries, with the hopes of installing malicious code in an otherwise trusted local library that will escape notice.”

Lucija Valentić said.

Furthermore, RL explained that many campaigns have attempted this technique with the recent one launched on the 1st of April, 2025.

The campaign added a pdf-to-office package to an npm package manager library that legitimately works as a PDF to Microsoft-Office documents converter.

When the package is executed, it injects malicious code into the available locally-installed crypto wallets, recently Atomic and Exodus wallets, software and overrides the existing non-malicious files.

Consequently, the sender unknowingly sends crypto funds to the attacker’s address which was swapped for the sender’s address.

RL likened this latest campaign to the ethers-provider2 and ethers-providerz that it uncovered in late March of this year. It went further, elaborating on the ways the pdf-to-office package works.

More Fake Extensions Embed Malware to Steal Crypto Assets

Earlier, the Kaspersky Anti-Malware Research Team reported that cybercriminals primarily target Russian users with ClipBanker malware to hijack cryptocurrency transactions by swapping users’ wallet addresses for theirs and funds and sensitive data belonging to legitimate users.

The attackers hide crypto-stealing malware in fake Microsoft-office extensions hosted on SourceForge. All these adds to the growing cyber attacks on crypto.