Malicious npm Package Targets Crypto Wallet Apps on Windows

Malicious npm Package Disguised as Popular Email Library Targets Crypto Wallets on Windows

  • A malicious npm package impersonated a popular email library to target crypto wallet apps on Windows.
  • The package, named nodejs-smtp, was downloaded 347 times since April 2025 before removal.
  • Attackers used the package to secretly inject wallet-draining code into Atomic and Exodus desktop wallets.
  • The package maintained email-sending features to appear legitimate and avoid detection.
  • The attack changed wallet transaction addresses to those controlled by the threat actor, redirecting popular cryptocurrencies.

Cybersecurity researchers have revealed that a fake npm package targeted cryptocurrency wallet applications on Windows computers earlier in 2025. The package, called nodejs-smtp, was created to imitate the legitimate nodemailer email library. This malicious package aimed to inject harmful code into the Atomic and Exodus desktop apps in order to steal funds from users.

- Advertisement -

The package was uploaded in April 2025 by a user known as “nikotimon” and was downloaded 347 times before its removal. According to researchers at Socket, the package imported using Electron, which is used to build desktop apps, to access and edit the internal files of affected wallet applications. The goal was to secretly replace certain parts of these apps with a hidden payload under the threat actor’s control.

Socket researcher Kirill Boychenko explained that the package would overwrite the recipient cryptocurrency address with hard-coded addresses controlled by the attacker. This allowed the Malware to intercept and reroute transactions involving Bitcoin (BTC), Ethereum (ETH), Tether (USDT and TRX USDT), XRP, and Solana (SOL). As Boychenko stated, “On import, the package uses Electron tooling to unpack Atomic Wallet’s app.asar, replace a vendor bundle with a malicious payload, repackage the application, and remove traces by deleting its working directory.”

Despite its malicious intent, nodejs-smtp performed as a regular email mailer, matching the interface of nodemailer. This allowed it to function in application tests, further reducing suspicion from developers. The strategy of disguising harmful functions within seemingly normal tools is known as a software supply chain attack.

This incident follows a similar attack involving an npm package called “pdf-to-office,” which also targeted these wallets by altering app files to add transaction-stealing functions. These campaigns highlight the risk of importing new packages in development environments, as attackers may use them to quietly change how desktop applications work.

- Advertisement -

Researchers warn that these kinds of attacks could persist and pose threats to both individuals and companies using desktop crypto wallets.

✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.

Previous Articles:

- Advertisement -

Latest News

Oracle to Operate TikTok US Algorithm as Takeover Deal Nears Completion

A potential agreement is nearing that would move control of TikTok’s U.S. operations to...

Bitcoin Options Expiry Favors Bulls if $112K Holds Amid Uncertainty

About $22.6 billion in Bitcoin options contracts are set to expire on Friday, with...

BitMine Buys $84M in Ethereum, Analysts See ETH Hitting $12K+

Ethereum holds above $4,100 following an $84 million purchase by BitMine Immersion.The company now...

Institutions Buy Billions in MSTR as Stock Drops 38% From High

Institutional investors continue to buy large amounts of MSTR shares, even as the stock...

FTT Token Surges 24% After Jailed SBF’s Account Posts “gm”

FTX’s FTT token price surged nearly 24% after a social media post on Sam...
- Advertisement -

Must Read

Top 9 Most Legit Bitcoin Faucets

Bitcoin faucets are platforms where you can earn Bitcoin free. Some other faucet apps and websites allow users to receive different cryptocurrencies for free....