In response to a wave of cyberattacks targeting the cryptocurrency community, threat actors have launched a sophisticated software supply chain aimed at compromising on widely used Web3 wallets, including the atomic wallets and Exodus.
According to researchers at ReversingLabs (RL), malicious campaigns are concentrated on NPM package managers, a popular platform for JavaScript and Node.js developers. The attacker has installed a deceptive package called PDF-to-Office. It is incorrectly advertised as a utility for converting PDF files to Microsoft Office format. Instead, the package has malicious code designed to hijack local installations of legitimate Crypto wallet software.
When executed, the PDF-To-Office suite quietly injects malicious patches into the locally installed version of the Atomic Wallet and Exodus. These patches replace legitimate code with a modified version that allows attackers to intercept and redirect cryptocurrency transactions. In reality, users who try to send funds will find their transactions redirected to a wallet controlled by an attacker, with no visible signs of tampering.
The attack utilized subtle and increasingly popular techniques. Instead of hijacking upstream open source packages directly, the malicious actor injected malicious code into the local environment by patching legitimate software already installed on the victim’s system.
The PDF to Office package first appeared on NPM in March 2025, with multiple versions being released in succession. The latest version 1.1.2 was released on April 1st. RL researchers used machine learning-driven behavioral analysis on the Spectra Assure Platform to detect packages. I found this code contains obfuscated JavaScript, a common red flag in recent NPM malware campaigns.
The effect lasted, especially after the malicious package was removed. After patching a Web3 wallet, simply removing the fake NPM packages did not eliminate the threat. The victim had to completely uninstall and reinstall the wallet application to remove the Trojan component and restore the wallet integrity.
*This is not investment advice.
Discover more from Earlybirds Invest
Subscribe to get the latest posts sent to your email.
