TL;DR – ReversingLabs has identified a malicious npm package, “pdf-to-office,” that targets Atomic and Exodus crypto wallet users by silently patching local software to hijack transactions. The malware swaps recipient wallet addresses and remains persistent even after removal.
Cybersecurity firm ReversingLabs (RL) has uncovered a new tactic threat actors are employing to target cryptocurrency users. Their latest research, shared with Hackread.com, reveals that cybercriminals are leveraging the npm (Node Package Manager) network to inject malicious code into locally installed cryptocurrency wallet software, specifically targeting Atomic Wallet and Exodus.
This attack involves the malicious patching of legitimate software files, allowing attackers to intercept cryptocurrency transfers by silently swapping recipient wallet addresses.
Fake Package and Malicious Injection
RL researchers discovered a malicious npm package named “pdf-to-office” that falsely appeared as a utility for converting PDF files to Microsoft Office documents. However, upon execution, it deployed a malicious payload to modify key files within Atomic Wallet and Exodus installation directories.
The malware overwrites legitimate files with trojanised versions, secretly altering the destination address for outgoing cryptocurrency transactions. This allows attackers to remain undetected for an extended period, as the wallet’s core functionality appears unchanged to the user.
ReversingLabs’ automated Spectra Assure platform flagged this package as suspicious because it exhibited behaviours consistent with previous npm-based malware campaigns. An obfuscated Javascript file was also found within the package, revealing malicious intent.
The payload targeted the "atomic/resources/app.asar" archive in Atomic Wallet‘s directory and the "src/app/ui/index.js" file in Exodus.
“Atomic Wallets weren’t the only target of this malicious package, either. RL also detected a malicious payload that tried to inject a trojanised file inside a legitimate, locally-installed Exodus wallet as well,” wrote ReversingLabs’ Software Threat Researcher Lucija Valentić in a blog post.
The attackers targeted specific Atomic Wallet versions (2.91.5 and 2.90.6), indicating sophistication in their targeting. The malicious files were named accordingly, overwriting the correct file regardless of the installed version.
“We also observed what appears to be an effort by the malicious actors to cover their tracks and thwart incident response efforts, or simply to exfiltrate even more information,” the researcher explained.
Persistence and Impact
A particularly problematic part of this campaign is its persistence. Research indicates that even if the malicious “pdf-to-office” package is removed from the victim’s system, the compromised cryptocurrency wallet software remains infected.
Moreover, the trojanised files within Atomic Wallet and Exodus continue to operate, silently redirecting funds to the attackers’ Web3 wallet. The only effective way to eliminate the threat is a complete removal and re-installation of the affected wallet software.
The good news is that the official Atomic Wallet and Exodus Wallet installers remain unaffected, but the compromise occurs after the malicious “pdf-to-office” package is installed and executed.
It is worth noting that this campaign is similar to a previous one RL reported in late March, which used two malicious npm packages, "ethers-provider2" and "ethers-providerz" to deliver a payload that patched the legitimate “ethers” package to serve a reverse shell.
The cryptocurrency sector is, therefore, facing increasing risks from software supply chain attacks. These attacks are becoming more sophisticated and frequency-driven, requiring increased vigilance from software producers and end-user organizations.