Researchers discovered a malicious software package uploaded to NPM. This secretly transforms the locally installed version of the Crypto wallet, allowing attackers to intercept and reroute digital currency transactions.
This campaign installed the troilerization code into a locally installed atoms wallet software and hijacked crypto transfers. This attack is centered around the office from PDF, a deceptive NPM package that poses as a library for converting PDF files to office format.
Once executed, the package quietly places and modify certain versions of the victim's machine atomic and escape wallets, redirecting crypto transactions that are sent to wallets controlled by threat actors.
ReversingLabs said the campaign exemplifies a broader change in tactics. Rather than directly compromising on open source libraries that often trigger rapid community responses, attackers are increasingly distributing packages that are designed to use stealth malware to “patch” local installations of trustworthy software.
Target file patching
The PDF to Office package was first uploaded to NPM in March and updated multiple times until early April. Despite that specified functionality, the package did not have actual file conversion capabilities.
Instead, its core script ran obfuscation code that searched for local installations of atomic and exodus wallets, raising important application files with malicious variants.
The attacker replaced the legitimate JavaScript file in the resource/app.asar archive with a nearly identical Trojanized version of the attacker's base 64 decoded wallet with the user's intended recipient address.
For the atomic wallet, versions 2.90.6 and 2.91.5 were particularly targeted. Meanwhile, a similar method was applied to Exodus Wallet versions 25.9.2 and 25.13.3.
Once fixed, the infected wallet will continue to redirect funds even if the original NPM package is removed. To remove malicious code, it required a complete removal and reinstallation of the wallet software.
ReversingLabs also focused on malware persistence and obfuscation attempts. Infected systems send installation status data to an attacker-controlled IP address (178.156.149.109), and in some cases zipped logs and trace files from any desk remote access software are quickly growing, suggesting that they are interested in deeper system penetration or elimination of evidence.
Expansion of threats in the software supply chain
This discovery follows a similar March campaign involving Ethers-Provider2 and Ethers-Providerz, and patches the Ethers NPM package to establish a reverse shell. Both incidents highlight the growing complexity of supply chain attacks targeting crypto space.
ReversingLabs warned that these threats continue to evolve, especially in Web3 environments where local installation of open source packages is common. Attackers are increasingly dependent on social engineering and indirect infection methods, and know that most organizations are not scrutinizing the dependencies already in place.
According to the report:
“This type of patching attack is dependent on packages installed and patched, as the threat persists even if the source NPM module is removed.”
Malicious packages were flagged by machine learning algorithms in ReversingLabs under threat hunting policy TH15502. It was subsequently removed from NPM, but a version republished under the same name and version 1.1.2 has temporarily reappeared, indicating the persistence of the threat actor.
Investigators have published hashes of affected files and wallet addresses that attackers use as indicators of compromise (IOCs). These include the wallet used to redirect illegal funds, as well as the SHA1 fingerprints of all infected package versions and associated Trojan files.
As software supply chain attacks become more frequent and technically refined, security experts are calling for more stringent code auditing, dependency management, and real-time monitoring of local application changes.
It is mentioned in this article
