CyberHappenings logo
☰
🏠 Home πŸ“‚ Browse ℹ️ About

Track cybersecurity events as they unfold. Sourced timelines, daily updates. Fast, privacy‑respecting. No ads, no tracking.

Malicious npm package nodejs-smtp targets Atomic and Exodus wallets on Windows

First reported
Last updated
πŸ“° 1 unique sources, 1 articles

Summary

Hide β–²

A malicious npm package, nodejs-smtp, impersonates the legitimate nodemailer library to inject malicious code into desktop apps for Atomic and Exodus cryptocurrency wallets on Windows systems. The package, uploaded in April 2025, was downloaded 347 times before being removed. It targets Bitcoin, Ethereum, Tether, XRP, and Solana transactions by redirecting them to the attacker's wallets. The package uses Electron tooling to unpack, modify, and repack the wallet applications, effectively acting as a cryptocurrency clipper. It maintains functionality as an SMTP mailer to avoid suspicion.

Timeline

  1. 02.09.2025 07:40 πŸ“° 1 articles Β· ⏱ 14d ago

    Malicious npm package nodejs-smtp targets Atomic and Exodus wallets on Windows

    A malicious npm package, nodejs-smtp, was discovered impersonating the legitimate nodemailer library. The package targets Atomic and Exodus cryptocurrency wallets on Windows systems, using Electron tooling to inject malicious code and redirect transactions to the attacker's wallets. It was uploaded in April 2025 and downloaded 347 times before being removed.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Supply Chain Attack Targeting npm Registry Compromises 40 Packages

A supply chain attack targeting the npm registry has compromised over 187 packages maintained by multiple developers. The attack uses a malicious script (bundle.js) to steal credentials from developer machines. The compromised packages include various npm modules used in different projects. The attack is capable of targeting both Windows and Linux systems. The malicious script scans for secrets using TruffleHog's credential scanner and transmits them to an external server controlled by the attackers. Developers are advised to audit their environments and rotate credentials if the affected packages are present.

Open in new tab

Supply Chain Attack on npm Packages with Billions of Weekly Downloads

A supply chain attack compromised multiple npm packages with over 2.6 billion weekly downloads. Attackers injected malicious code into these packages after hijacking a maintainer's account via phishing. The malware targets web-based cryptocurrency transactions, redirecting them to attacker-controlled wallets. The attack was detected and mitigated by the NPM team, who removed the malicious versions within two hours. The phishing campaign targeted multiple maintainers, using a fake domain to trick them into updating their 2FA credentials. The malicious code operates by hooking into JavaScript functions and wallet APIs, intercepting and altering cryptocurrency transactions. The attack impacts users who installed the compromised packages during a specific time window and have vulnerable dependencies. The attack targeted Josh Junon, also known as Qix, who received a phishing email mimicking npm. The phishing email prompted the maintainer to enter their username, password, and 2FA token, which were stolen via an adversary-in-the-middle (AitM) attack. The attack affected 20 packages, including ansi-regex, chalk, debug, and others, with over 2 billion weekly downloads. The malware intercepts cryptocurrency transaction requests by computing the Levenshtein distance to swap the destination wallet address. The payload hooks into window.fetch, XMLHttpRequest, and window.ethereum.request, along with other wallet provider APIs. The attack also compromised another maintainer, duckdb_admin, to distribute the same wallet-drainer malware. The affected packages from the second maintainer include @coveops/abi, @duckdb/duckdb-wasm, and prebid, among others. The attack impacted roughly 10% of all cloud environments. The attackers diverted five cents worth of ETH and $20 worth of a virtually unknown memecoin. The attacker’s wallet addresses holding significant amounts have been flagged, limiting their ability to convert or use the funds.

Open in new tab

VS Code Marketplace Flaw Allows Reuse of Deleted Extension Names

A flaw in the Visual Studio Code Marketplace allows threat actors, notably WhiteCobra, to republish deleted extensions under the same names. This vulnerability was discovered after identifying a malicious extension named "ahbanC.shiba" that mimicked previously flagged extensions. The flaw enables attackers to reuse names of removed extensions, posing a risk to software supply chain security. The malicious extensions act as downloaders, retrieving a PowerShell payload that encrypts files and demands Shiba Inu tokens. This issue highlights the need for secure development practices and proactive monitoring of software repositories. WhiteCobra has targeted VSCode, Cursor, and Windsurf users by planting 24 malicious extensions in the Visual Studio marketplace and the Open VSX registry. The campaign is ongoing as the threat actor continuously uploads new malicious code to replace the extensions that are removed. The group is responsible for the $500,000 crypto-theft in July, through a fake extension for the Cursor editor.

Open in new tab