Cybersecurity researchers share details about malware campaigns targeting Ethereum, XRP, and Solana.
This attack is primarily targeting atomic and exodus wallet users via compromised Node Package Manager (NPM) packages.
It then redirects the transaction to an attacker-controlled address without the knowledge of the wallet owner.
The attack begins when the developer unconsciously installs the Trojanized NPM package into the project. Researchers have identified “PDF-to-Office” as a compromised package containing hidden, malicious code that appears legitimate.
Once the installation is installed, the package scans the system for the installed cryptocurrency wallet and injects malicious code that intercepts transactions.
You might like it too: Best Cryptocurrencies to Watch This Week: Solana, Fartcoin, Arbitrum
“Targeting Escalation”
“This latest campaign represents the ongoing escalation of cryptocurrency users through software supply chain attacks,” the researcher said in the report.
Malware can redirect transactions across multiple cryptocurrencies, including Ethereum (ETH), Tron-based USDT, XRP (XRP), and Solana (SOL).
ReverSingLabs identified campaigns through an analysis of suspicious NPM packages and detected multiple metrics of malicious behavior, including suspicious URL connections and code patterns that match previously identified threats. Their technical exams reveal a multi-stage attack that uses advanced obfuscation techniques to avoid detection.
The infection process begins when a malicious package runs the payload targeting wallet software installed on your system. The code specially searches for application files in a specific path.
You might like it too: As exchange reserves drop, pop cat prices have skyrocketed, and profit leaders are holding
Once deployed, the malware extracts the application archive. This process creates a temporary directory, extracts application files, inserts malicious code, repacks everything and runs through the code that looks fine.
Malware changes transaction processing code to use Base64 encoding to replace legitimate wallet addresses with attacker-controlled ones.
For example, if a user attempts to send ETH, the code will replace the recipient address with the attacker’s address decoded from the base 64 string.
The impact of this malware can be tragic as transactions appear to be normal in the wallet interface while funds are being sent to the attacker.
There is no visual indication that the transaction has been compromised until the user sees the transaction on the blockchain and discovers the funds.
read more: Courtesy of Crypto and Defi Score Legal Wins Trump | Weekly Summary
Discover more from Earlybirds Invest
Subscribe to get the latest posts sent to your email.