Malicious npm Package nodejs-smtp Targets Atomic and Exodus Wallets
Summary
Hide â˛
Show âŧ
A malicious npm package named nodejs-smtp mimicked the legitimate nodemailer library to target Atomic and Exodus cryptocurrency wallets on Windows systems. The package, uploaded in April 2025, was downloaded 347 times before being removed. It modified the wallets to redirect transactions to attacker-controlled wallets, acting as a cryptocurrency clipper. The package used Electron tooling to inject malicious code into the wallets, replacing a vendor bundle with a payload that overwrote recipient addresses. The attacker's goal was to steal Bitcoin, Ethereum, Tether, XRP, and Solana transactions. The package maintained functional SMTP mailer capabilities to avoid detection.
Timeline
-
02.09.2025 07:40 đ° 1 articles
Malicious npm Package nodejs-smtp Targets Atomic and Exodus Wallets
A malicious npm package named nodejs-smtp was discovered to mimic the legitimate nodemailer library. The package, uploaded in April 2025, targeted Atomic and Exodus wallets on Windows systems. It used Electron tooling to inject malicious code, replacing a vendor bundle with a payload that overwrote recipient addresses to redirect transactions to attacker-controlled wallets. The package maintained SMTP mailer functionality to avoid detection.
Show sources
- Malicious npm Package nodejs-smtp Mimics Nodemailer, Targets Atomic and Exodus Wallets â thehackernews.com â 02.09.2025 07:40
Information Snippets
-
The package was uploaded to the npm registry in April 2025 by a user named 'nikotimon'.
First reported: 02.09.2025 07:40đ° 1 source, 1 articleShow sources
- Malicious npm Package nodejs-smtp Mimics Nodemailer, Targets Atomic and Exodus Wallets â thehackernews.com â 02.09.2025 07:40
-
The package was downloaded 347 times before being removed.
First reported: 02.09.2025 07:40đ° 1 source, 1 articleShow sources
- Malicious npm Package nodejs-smtp Mimics Nodemailer, Targets Atomic and Exodus Wallets â thehackernews.com â 02.09.2025 07:40
-
The package targeted Atomic and Exodus wallets on Windows systems.
First reported: 02.09.2025 07:40đ° 1 source, 1 articleShow sources
- Malicious npm Package nodejs-smtp Mimics Nodemailer, Targets Atomic and Exodus Wallets â thehackernews.com â 02.09.2025 07:40
-
The package used Electron tooling to inject malicious code into the wallets.
First reported: 02.09.2025 07:40đ° 1 source, 1 articleShow sources
- Malicious npm Package nodejs-smtp Mimics Nodemailer, Targets Atomic and Exodus Wallets â thehackernews.com â 02.09.2025 07:40
-
The package replaced a vendor bundle with a malicious payload and repackaged the application.
First reported: 02.09.2025 07:40đ° 1 source, 1 articleShow sources
- Malicious npm Package nodejs-smtp Mimics Nodemailer, Targets Atomic and Exodus Wallets â thehackernews.com â 02.09.2025 07:40
-
The package overwrote recipient addresses to redirect transactions to attacker-controlled wallets.
First reported: 02.09.2025 07:40đ° 1 source, 1 articleShow sources
- Malicious npm Package nodejs-smtp Mimics Nodemailer, Targets Atomic and Exodus Wallets â thehackernews.com â 02.09.2025 07:40
-
The package targeted Bitcoin, Ethereum, Tether, XRP, and Solana transactions.
First reported: 02.09.2025 07:40đ° 1 source, 1 articleShow sources
- Malicious npm Package nodejs-smtp Mimics Nodemailer, Targets Atomic and Exodus Wallets â thehackernews.com â 02.09.2025 07:40
-
The package maintained SMTP mailer functionality to avoid detection.
First reported: 02.09.2025 07:40đ° 1 source, 1 articleShow sources
- Malicious npm Package nodejs-smtp Mimics Nodemailer, Targets Atomic and Exodus Wallets â thehackernews.com â 02.09.2025 07:40
Similar Happenings
Malicious nx Packages Exfiltrate 2,349 GitHub, Cloud, and AI Credentials in Supply Chain Attack
A supply chain attack on the nx build system compromised multiple npm packages, leading to the exfiltration of 2,349 GitHub, cloud, and AI credentials. The attack unfolded in three distinct phases, impacting 2,180 accounts and 7,200 repositories. The attack exploited a vulnerable workflow in the nx repository to publish malicious versions of the nx package and supporting plugins. The compromised packages scanned file systems for credentials and sent them to attacker-controlled GitHub repositories. The attack impacted over 1,346 repositories and affected Linux and macOS systems. The nx maintainers identified the root cause as a vulnerable workflow added on August 21, 2025, that allowed for the injection of executable code via a pull request title. The malicious packages were published on August 26, 2025, and have since been removed from the npm registry. The attackers leveraged the GITHUB_TOKEN to trigger the publish workflow and exfiltrate the npm token. The malicious postinstall script scanned systems for text files, collected credentials, and sent them to publicly accessible GitHub repositories. The script also modified .zshrc and .bashrc files to shut down the machine immediately upon user interaction. The nx maintainers have rotated npm and GitHub tokens, audited activities, and updated publish access to require two-factor authentication. Wiz researchers identified a second attack wave impacting over 190 users/organizations and over 3,000 repositories. The second wave involved making private repositories public and creating forks to preserve data. GitGuardian's analysis revealed that 33% of compromised systems had at least one LLM client installed, and 85% were running Apple macOS. The attack took approximately four hours from start to finish. AI-powered CLI tools were used to dynamically scan for high-value secrets. The malware created public repositories on GitHub to store stolen data. The attack impacted over 1,000 developers, exfiltrating around 20,000 sensitive files. The malware modified shell startup files to crash systems upon terminal access. The attack was detected by multiple cybersecurity vendors. The malicious packages were removed from npm at 2:44 a.m. UTC on August 27, 2025. GitHub disabled all singularity-repository instances by 9 a.m. UTC on August 27, 2025. Around 90% of leaked GitHub tokens remain active as of August 28, 2025.
Malicious PyPI and npm Packages Exploit Dependencies in Supply Chain Attacks
Cybersecurity researchers have identified malicious packages in the Python Package Index (PyPI) and npm repositories that exploit dependencies to execute supply chain attacks. The PyPI package termncolor, with 355 downloads, and its dependency colorinal, with 529 downloads, were found to perform DLL side-loading to achieve persistence and remote code execution. The malware can infect both Windows and Linux systems. Additionally, npm packages were discovered to harvest sensitive data, including iCloud Keychain, web browser, and cryptocurrency wallet information. The attacks highlight the risks associated with automated dependency upgrades and the importance of monitoring open-source ecosystems for potential threats. In a recent supply chain attack, attackers injected malware into npm packages with over 2.6 billion weekly downloads after compromising a maintainer's account in a phishing attack. The attack impacted roughly 10% of all cloud environments. The malware operates by injecting itself into the web browser, monitoring cryptocurrency transactions, and redirecting them to attacker-controlled wallet addresses. The compromised packages include debug, chalk, and ansi-styles, among others. The impact of the attack is limited to fresh installs between ~9 AM and ~11.30 AM ET on September 8, 2025, when the packages were compromised. This attack follows a series of similar incidents targeting JavaScript libraries, highlighting the ongoing threat to the open-source ecosystem.