BTC $71,807
2026 Bull Run Is Building Start trading with 5% OFF all fees
Sign Up Now
BTC $71,807
Bull Run 2026 | 5% Off Fees Open your Binance account today
Sign Up

Malicious npm Package Targets Crypto Wallet Apps on Windows

Malicious npm Package Disguised as Popular Email Library Targets Crypto Wallets on Windows

  • A malicious npm package impersonated a popular email library to target crypto wallet apps on Windows.
  • The package, named nodejs-smtp, was downloaded 347 times since April 2025 before removal.
  • Attackers used the package to secretly inject wallet-draining code into Atomic and Exodus desktop wallets.
  • The package maintained email-sending features to appear legitimate and avoid detection.
  • The attack changed wallet transaction addresses to those controlled by the threat actor, redirecting popular cryptocurrencies.

Cybersecurity researchers have revealed that a fake npm package targeted cryptocurrency wallet applications on Windows computers earlier in 2025. The package, called nodejs-smtp, was created to imitate the legitimate nodemailer email library. This malicious package aimed to inject harmful code into the Atomic and Exodus desktop apps in order to steal funds from users.

- Advertisement -

The package was uploaded in April 2025 by a user known as “nikotimon” and was downloaded 347 times before its removal. According to researchers at Socket, the package imported using Electron, which is used to build desktop apps, to access and edit the internal files of affected wallet applications. The goal was to secretly replace certain parts of these apps with a hidden payload under the threat actor’s control.

Socket researcher Kirill Boychenko explained that the package would overwrite the recipient cryptocurrency address with hard-coded addresses controlled by the attacker. This allowed the Malware to intercept and reroute transactions involving Bitcoin (BTC), Ethereum (ETH), Tether (USDT and TRX USDT), XRP, and Solana (SOL). As Boychenko stated, “On import, the package uses Electron tooling to unpack Atomic Wallet’s app.asar, replace a vendor bundle with a malicious payload, repackage the application, and remove traces by deleting its working directory.”

Despite its malicious intent, nodejs-smtp performed as a regular email mailer, matching the interface of nodemailer. This allowed it to function in application tests, further reducing suspicion from developers. The strategy of disguising harmful functions within seemingly normal tools is known as a software supply chain attack.

This incident follows a similar attack involving an npm package called “pdf-to-office,” which also targeted these wallets by altering app files to add transaction-stealing functions. These campaigns highlight the risk of importing new packages in development environments, as attackers may use them to quietly change how desktop applications work.

- Advertisement -

Researchers warn that these kinds of attacks could persist and pose threats to both individuals and companies using desktop crypto wallets.

✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.

Previous Articles:

- Advertisement -
Ad
Altseason Is Loading. Don't watch from the sidelines.
SOL $90.51
DOGE $0.0963
LINK $9.02
SUI $1.00
5% off fees when you sign up
Start Trading
Ad
Pay Less on Every Trade. For Life.
$10K/mo volume Save $60/yr
$50K/mo volume Save $300/yr
$100K/mo volume Save $600/yr
5% off all trading fees when you sign up
Claim Your Discount

Latest News

OpenAI’s new guide: shorter prompts, better GPT-5.6 Sol results

OpenAI published a dedicated prompting guide for GPT-5.6 Sol that changes earlier advice.Internal coding-agent...

Bitcoin Drops 4% on Geopolitical Tensions, Market Risk-Off

Bitcoin fell to $61,750.90 on Monday, July 13, as geopolitical tensions over the Strait...

New macOS Malware ‘CrashStealer’ Steals Crypto, Passwords

Researchers at Jamf Threat Labs have discovered a new macOS information stealer called CrashStealer...

Trump Urges Senate to Pass Crypto Clarity Act in Honor of Late Lindsey Graham

President Donald Trump urged the Senate to pass the Crypto Clarity Act in honor...

Google pushes TPUs to neoclouds, challenging Nvidia

Google is expanding sales of its custom TPU chips to independent cloud providers, moving...

Must Read

What is Moon Tropica (CAH) – Technology, Tokenomics, Game Preview

Gaming enthusiasts and crypto enthusiasts, hHave you heard about Moon Tropica? If you're longing for that nostalgic feel of classic games from your childhood...
Ad
Altseason Is Loading. These 4 coins are trending right now.
SOL $92.12
DOGE $0.0950
LINK $9.02
SUI $1.02
5% off spot fees when you sign up
Start Trading