Malicious npm Package Targets Crypto Wallet Apps on Windows

Malicious npm Package Disguised as Popular Email Library Targets Crypto Wallets on Windows

  • A malicious npm package impersonated a popular email library to target crypto wallet apps on Windows.
  • The package, named nodejs-smtp, was downloaded 347 times since April 2025 before removal.
  • Attackers used the package to secretly inject wallet-draining code into Atomic and Exodus desktop wallets.
  • The package maintained email-sending features to appear legitimate and avoid detection.
  • The attack changed wallet transaction addresses to those controlled by the threat actor, redirecting popular cryptocurrencies.

Cybersecurity researchers have revealed that a fake npm package targeted cryptocurrency wallet applications on Windows computers earlier in 2025. The package, called nodejs-smtp, was created to imitate the legitimate nodemailer email library. This malicious package aimed to inject harmful code into the Atomic and Exodus desktop apps in order to steal funds from users.

- Advertisement -

The package was uploaded in April 2025 by a user known as “nikotimon” and was downloaded 347 times before its removal. According to researchers at Socket, the package imported using Electron, which is used to build desktop apps, to access and edit the internal files of affected wallet applications. The goal was to secretly replace certain parts of these apps with a hidden payload under the threat actor’s control.

Socket researcher Kirill Boychenko explained that the package would overwrite the recipient cryptocurrency address with hard-coded addresses controlled by the attacker. This allowed the Malware to intercept and reroute transactions involving Bitcoin (BTC), Ethereum (ETH), Tether (USDT and TRX USDT), XRP, and Solana (SOL). As Boychenko stated, “On import, the package uses Electron tooling to unpack Atomic Wallet’s app.asar, replace a vendor bundle with a malicious payload, repackage the application, and remove traces by deleting its working directory.”

Despite its malicious intent, nodejs-smtp performed as a regular email mailer, matching the interface of nodemailer. This allowed it to function in application tests, further reducing suspicion from developers. The strategy of disguising harmful functions within seemingly normal tools is known as a software supply chain attack.

This incident follows a similar attack involving an npm package called “pdf-to-office,” which also targeted these wallets by altering app files to add transaction-stealing functions. These campaigns highlight the risk of importing new packages in development environments, as attackers may use them to quietly change how desktop applications work.

Researchers warn that these kinds of attacks could persist and pose threats to both individuals and companies using desktop crypto wallets.

✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.

- Advertisement -

Previous Articles:

Stay in the Loop

Get exclusive crypto insights, breaking news, and market analysis delivered straight to your inbox. No fluff, just facts.

    1 Email per day. Unsubscribe at any time.

    - Advertisement -

    Latest News

    HTX Lends 92% of USDT Reserves on Aave, Raising Risk Concerns

    HTX claims strong financial reserves, but most of its stablecoin holdings are out on...

    Nasdaq Tightens Crypto Buy Rules, Treasury Stocks Slide Now.

    Nasdaq will tighten rules for companies raising capital to buy cryptocurrency, including requiring some...

    If Shiba Inu Hits $1, Investors Could See Unimaginable Profits

    The price of Shiba Inu (SHIB) reaching $1 would make current holders extremely wealthy,...

    Hedera Hackathons Offer $1.5M+ in Prizes, Attract 10,000+ Builders

    The Hello Future Origins Hackathon featured a $550,000 global prize pool.The event ran from...

    Bitcoin Soars Amid Federal Reserve Crisis, S&P 500 Entry Looms

    Bitcoin’s price has doubled over the past year amid uncertainty around the Federal Reserve...

    Must Read

    Top 9 Most Legit Bitcoin Faucets

    Bitcoin faucets are platforms where you can earn Bitcoin free. Some other faucet apps and websites allow users to receive different cryptocurrencies for free....