- A malicious npm package impersonated a popular email library to target crypto wallet apps on Windows.
- The package, named nodejs-smtp, was downloaded 347 times since April 2025 before removal.
- Attackers used the package to secretly inject wallet-draining code into Atomic and Exodus desktop wallets.
- The package maintained email-sending features to appear legitimate and avoid detection.
- The attack changed wallet transaction addresses to those controlled by the threat actor, redirecting popular cryptocurrencies.
Cybersecurity researchers have revealed that a fake npm package targeted cryptocurrency wallet applications on Windows computers earlier in 2025. The package, called nodejs-smtp, was created to imitate the legitimate nodemailer email library. This malicious package aimed to inject harmful code into the Atomic and Exodus desktop apps in order to steal funds from users.
The package was uploaded in April 2025 by a user known as “nikotimon” and was downloaded 347 times before its removal. According to researchers at Socket, the package imported using Electron, which is used to build desktop apps, to access and edit the internal files of affected wallet applications. The goal was to secretly replace certain parts of these apps with a hidden payload under the threat actor’s control.
Socket researcher Kirill Boychenko explained that the package would overwrite the recipient cryptocurrency address with hard-coded addresses controlled by the attacker. This allowed the Malware to intercept and reroute transactions involving Bitcoin (BTC), Ethereum (ETH), Tether (USDT and TRX USDT), XRP, and Solana (SOL). As Boychenko stated, “On import, the package uses Electron tooling to unpack Atomic Wallet’s app.asar, replace a vendor bundle with a malicious payload, repackage the application, and remove traces by deleting its working directory.”
Despite its malicious intent, nodejs-smtp performed as a regular email mailer, matching the interface of nodemailer. This allowed it to function in application tests, further reducing suspicion from developers. The strategy of disguising harmful functions within seemingly normal tools is known as a software supply chain attack.
This incident follows a similar attack involving an npm package called “pdf-to-office,” which also targeted these wallets by altering app files to add transaction-stealing functions. These campaigns highlight the risk of importing new packages in development environments, as attackers may use them to quietly change how desktop applications work.
Researchers warn that these kinds of attacks could persist and pose threats to both individuals and companies using desktop crypto wallets.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- Nestlé CEO Fired Over Policy Breach; Stock Remains Unshaken
- EU Regulator Warns Tokenized Stocks May Mislead Investors on Rights
- Shiba Inu (SHIB) Holders Debate Selling at Loss Amid Price Drop
- Tokenized Gold Market Cap Hits $2.57B as Gold Price Surges
- Android Droppers Evolve to Bypass Google Protections, Spread Malware
