Sep 02, 2025Ravie LakshmananCryptocurrency / Malware
Cybersecurity researchers have found a malicious npm bundle that comes with stealthy options to inject malicious code into desktop apps for cryptocurrency wallets like Atomic and Exodus on Home windows methods.
The bundle, named nodejs-smtp, impersonates the reliable e-mail library nodemailer with an equivalent tagline, web page styling, and README descriptions, attracting a complete of 347 downloads because it was uploaded to the npm registry in April 2025 by a person named “nikotimon.” It is presently not accessible.
“On import, the bundle makes use of Electron tooling to unpack Atomic Pockets’s app.asar, change a vendor bundle with a malicious payload, repackage the applying, and take away traces by deleting its working listing,” Socket researcher Kirill Boychenko mentioned.
The primary goal is to overwrite the recipient tackle with hard-coded wallets managed by the menace actor, redirecting Bitcoin (BTC), Ethereum (ETH), Tether (USDT and TRX USDT), XRP (XRP), and Solana (SOL) transactions, successfully appearing as a cryptocurrency clipper.
That having mentioned, the bundle delivers on its acknowledged performance by appearing as an SMTP-based mailer in an try to keep away from elevating builders’ suspicion.
The bundle nonetheless works as a mailer and exposes a drop-in interface appropriate with nodemailer. That purposeful cowl lowers suspicion, permits utility checks to move, and offers builders little motive to query the dependency.
The event comes months after ReversingLabs found an npm bundle named “pdf-to-office” that achieved the identical targets by unpacking the “app.asar” archives related to Atomic and Exodus wallets and modifying inside them a JavaScript file to introduce the clipper perform.
“This marketing campaign reveals how a routine import on a developer workstation can quietly modify a separate desktop utility and persist throughout reboots,” Boychenko mentioned. “By abusing import time execution and Electron packaging, a lookalike mailer turns into a pockets drainer that alters Atomic and Exodus on compromised Home windows methods.”
