Security

Threat actors are injecting malicious code into legitimate cryptographic projects

4 Min Read
4 Min Read
Threat actors are injecting malicious code into legitimate cryptographic projects

Malicious actors are currently injecting malicious code into legitimate projects to steal digital assets from unsuspecting users. According to reports, cybersecurity researchers have discovered sophisticated malware campaigns targeting crypto users via compromised NPM packages.

According to the report, the attack is specifically targeted at atomic and escape wallet users, and the attacker hijacks the transaction by injecting malicious code that redirects the funds into the attacker’s wallet. The latest campaign coincides with a continuous string of attacks against crypto users through software supply chain attacks.

The origin of the attack is usually from developers, most of which unconsciously install NPM packages that have compromised on the project. One such package identified in this campaign is “PDF-to-Office.” This appears fine and looks legal, but contains hidden malicious code. Once installed, the package scans the user’s device to install a skip wallet and injects malicious code that can intercept and redirect transactions without user knowledge.

Cybersecurity researchers flag malicious code targeting crypto wallets

The impact of this attack is extremely dire for the victim, allowing malicious code to quietly redirect crypto transactions to attacker-controlled wallets. These attacks work with several digital assets, including Ethereum, Solana, XRP, and Tron-based USDT. Malware effectively executes this attack, switching from legitimate address to attacker-controlled address the moment the user wants to send funds.

The malicious campaign was discovered by researchers at ReversingLabs through an analysis of suspicious NPM packages. Researchers said there are a lot of indications of malicious behavior, such as suspicious URL connections and code patterns similar to malicious packages discovered previously. They said there were many campaigns that tried to use malicious code this week. They believe that attackers use this technique to maintain persistence and avoid detection.

See also  On-chain data shows the real story behind Iran's $90 million nobitex hack

“Most recently, the campaign launched on April 1st published the package to the NPM Package Manager, which has been posed as a library for converting PDF files to Microsoft Office Documents.

Infection Mechanism and Code Injection

According to technical tests, the attack is multi-stage and starts when the user installs the package. The rest occurs when you proceed with wallet identification, file extraction, malicious code injection, and ultimately transaction hijacking. Attackers also use obfuscation techniques to hide their intentions, making it difficult for traditional tools to pick up, and it’s too late for users to discover them.

After installation, if a malicious package runs the wallet software installed with payload targeting, the infection will begin. The code identifies the location of the application files in the wallet before targeting the ASAR package format used in electronic-based applications. This code specifically searches for files in a path such as “AppData/Local/Programs/Atomic/Resources/App.Asar”. Once you find it, the malware extracts the application archive, inserts malicious code, and rebuilds the archive.

Injection is specifically targeted at JavaScript files in the wallet software, especially vendor files such as “Vendors.64B69C3B00E2A7914733.JS”. The malware then changes the transaction processing code to use Base64 encoding to replace the actual wallet address with one belonging to the attacker. For example, when a user attempts to send Ethereum, the code replaces the recipient address with the decoded version of the address.

After the infection is complete, the malware communicates using a command and control server and sends installation status information, including the user’s home directory path. This allows an attacker to track successful infections and potentially collect information about the compromised system. According to ReversingLabs, the malicious path also shows evidence of persistence, and even if the package is removed, the Web3 wallet on the system is still infected.

See also  Scammers steal $520K in Bitcoin via hardware wallet. Avoid this in 5 steps

Discover more from Earlybirds Invest

Subscribe to get the latest posts sent to your email.

TAGGED:
Share This Article
Leave a comment

Popular News

Late-2025 crypto investor playbook: Rate cuts, regulation, ETFs, and stablecoins converge
Late-2025 crypto investor playbook: Rate cuts, regulation, ETFs, and stablecoins converge
Mining
BlackRock forwards Ethereum and Bitcoin to Coinbase Prime
BlackRock forwards Ethereum and Bitcoin to Coinbase Prime
Exchange
FF can be used for trading!
FF can be used for trading!
Bitcoin
Trump Gaza plan: Is Netanyahu just stringing him along?
Trump Gaza plan: Is Netanyahu just stringing him along?
Technology
Thane will become India’s first city with dedicated crypto-finding cells
Thane will become India’s first city with dedicated crypto-finding cells
Security
bitcoin
Bitcoin (BTC) $ 109,552.78
ethereum
Ethereum (ETH) $ 4,308.30
tether
Tether USDt (USDT) $ 1.00
bnb
BNB (BNB) $ 844.71
xrp
XRP (XRP) $ 2.81
cardano
Cardano (ADA) $ 0.809111
usd-coin
USDC (USDC) $ 1.00
binance-usd
BUSD (BUSD) $ 0.999956
dogecoin
Dogecoin (DOGE) $ 0.212492
okb
OKB (OKB) $ 176.30
shiba-inu
Shiba Inu (SHIB) $ 0.000012
tron
TRON (TRX) $ 0.335339
uniswap
Uniswap (UNI) $ 9.24
litecoin
Litecoin (LTC) $ 110.13
solana
Solana (SOL) $ 204.08
chainlink
Chainlink (LINK) $ 22.50
cosmos
Cosmos (ATOM) $ 4.40
ethereum-classic
Ethereum Classic (ETC) $ 20.17
filecoin
Filecoin (FIL) $ 2.25
bitcoin-cash
Bitcoin Cash (BCH) $ 587.44
monero
Monero (XMR) $ 269.33

Discover more from Earlybirds Invest

Subscribe now to keep reading and get access to the full archive.

Continue reading