Cybersecurity experts have sounded the alarm on a new malware campaign targeting users of popular crypto wallets like Atomic and Exodus, with Ethereum, XRP, and Solana assets in the crosshairs.
According to researchers at ReversingLabs, the campaign exploits software supply chains by sneaking malicious code into seemingly harmless npm (Node Package Manager) packages used by developers. One of the key culprits identified is a package named “pdf-to-office,” which, despite appearing legitimate, harbours hidden code designed to compromise crypto wallet applications.
The attack occurs when developers unknowingly integrate the trojanized package into their projects. Once installed, the malware springs into action—scanning the infected system for crypto wallets and injecting code capable of silently hijacking transactions. Victims remain unaware as the malware replaces recipient wallet addresses with attacker-controlled ones while maintaining a normal-looking user interface.
ReversingLabs’ technical breakdown reveals a sophisticated, multi-stage attack strategy. The malware uses advanced obfuscation methods to bypass security scans and then locates application paths for crypto wallets. It extracts and repackages the application files after injecting its malicious payload, ensuring the altered software behaves as expected while concealing its true intent.
The malware’s ability to tamper with transactions involving Ethereum, Tron-based USDT, XRP, and Solana is particularly alarming. The attacker’s addresses are hidden using base64 encoding, allowing the malware to decode and insert them just as a user sends funds—without triggering red flags in the wallet’s interface.
The consequences are dire: transactions appear routine, but users later discover on the blockchain that their crypto assets were rerouted to unfamiliar addresses. This latest scheme highlights an escalating trend in software supply chain attacks aimed at draining funds from unsuspecting crypto holders.
Security researchers urge developers and users alike to remain vigilant, double-check installed npm packages, and monitor blockchain transactions to verify fund movements.
Meanwhile, Microsoft identified a new remote access trojan (RAT) to steal cryptocurrency from users by targeting 20 different wallet extensions on Google Chrome.
If you want to read more news articles like this, visit DeFi Planet and follow us on Twitter, LinkedIn, Facebook, Instagram, and CoinMarketCap Community.
“Take control of your crypto portfolio with MARKETS PRO, DeFi Planet’s suite of analytics tools.”
