A dangerous new threat is spreading across the crypto world. Hackers have launched a crypto malware campaign that targets crypto users by using fake software packages. These packages are being spread through npm (Node Package Manager), a tool that many developers use to build apps.
Once installed, these fake packages allow attackers to steal cryptocurrencies from users of popular wallets like Atomic Wallet and Exodus. The stolen funds include Ethereum (ETH), XRP (XRP), Solana (SOL), and even Tron-based USDT.
Let’s break down what happened, how it works, and how you can stay safe.
How This Crypto Malware Works
The attack starts with a fake npm package called pdf-to-office. At first glance, it looks like a regular package that helps convert PDF files. But hidden inside is dangerous code.
Once a developer installs this package in their app, the code secretly runs in the background. It scans the victim’s computer for crypto wallet software. If it finds an Atomic or Exodus wallet installed, it injects malicious code into the app’s processes.
From there, the crypto malware watches for outgoing crypto transactions. When the user tries to send crypto, the malware silently changes the destination address to one owned by the attacker. This means the user thinks they’re sending funds to a friend or exchange, but instead, the coins go to the hacker.
Which Wallets Are Being Targeted?
The attackers are focusing on two popular crypto wallets:
- Atomic Wallet
- Exodus Wallet
Both wallets are widely used because they are easy to use and support many different coins. Unfortunately, this also makes them attractive targets.
Once infected, the crypto malware attempts to drain funds from the following cryptocurrencies:
- Ethereum (ETH)
- XRP
- Solana (SOL)
- Tron-based USDT (TRC20)
These coins are some of the most popular in the world, so they give attackers the chance to steal large amounts of money.
Why This Is a Big Deal
This is not the first time that crypto users have been targeted. But this attack is more dangerous because it comes from a software supply chain attack.
Here’s what that means: Instead of attacking users directly, hackers trick developers into installing bad code into the apps they build. Then, when users download those apps, they are infected without even knowing it.
These supply chain attacks are very hard to detect and can spread quickly.
The use of a trusted source like npm also makes it easier for the fake package to slip through unnoticed. Many developers rely on npm every day and don’t expect to find crypto malware there.
Protecting Yourself from Such Attacks
To safeguard your assets from similar threats, consider the following precautions:
- Verify npm Packages: Before installing any npm package, especially those not widely recognized, check for signs of legitimacy, such as the number of downloads, maintenance frequency, and community feedback.
- Use Reputable Wallets: Stick to well-known and regularly updated cryptocurrency wallets.
- Keep Software Updated: Ensure that all your software, including wallets and development tools, are up-to-date with the latest security patches.
- Employ Security Tools: Use antivirus and anti-malware programs to detect and prevent malicious activities on your system.
- Be Cautious with Permissions: Limit the permissions granted to applications, especially those that can access sensitive information or perform transactions.
Final Thoughts
The world of crypto is full of opportunity—but also full of risk. This latest crypto malware attack is a clear reminder that hackers are always looking for new ways to steal funds.
If you use crypto, especially if you’re a developer, take a few minutes to review your security habits. One wrong download can lead to a total loss of funds.
We’ll continue to monitor this crypto malware campaign and report any updates. For now, stay safe, stay alert, and double-check everything.
