CyberHappenings logo
☰

Malicious npm Package nodejs-smtp Targets Atomic and Exodus Wallets

First reported
Last updated
📰 1 unique sources, 1 articles

Summary

Hide ▲

A malicious npm package named nodejs-smtp mimicked the legitimate nodemailer library to target Atomic and Exodus cryptocurrency wallets on Windows systems. The package, uploaded in April 2025, was downloaded 347 times before being removed. It modified the wallets to redirect transactions to attacker-controlled wallets, acting as a cryptocurrency clipper. The package used Electron tooling to inject malicious code into the wallets, replacing a vendor bundle with a payload that overwrote recipient addresses. The attacker's goal was to steal Bitcoin, Ethereum, Tether, XRP, and Solana transactions. The package maintained functional SMTP mailer capabilities to avoid detection.

Timeline

  1. 02.09.2025 07:40 📰 1 articles

    Malicious npm Package nodejs-smtp Targets Atomic and Exodus Wallets

    A malicious npm package named nodejs-smtp was discovered to mimic the legitimate nodemailer library. The package, uploaded in April 2025, targeted Atomic and Exodus wallets on Windows systems. It used Electron tooling to inject malicious code, replacing a vendor bundle with a payload that overwrote recipient addresses to redirect transactions to attacker-controlled wallets. The package maintained SMTP mailer functionality to avoid detection.

    Show sources

Information Snippets

Similar Happenings

Malicious nx Packages Exfiltrate 2,349 GitHub, Cloud, and AI Credentials in Supply Chain Attack

A supply chain attack on the nx build system compromised multiple npm packages, leading to the exfiltration of 2,349 GitHub, cloud, and AI credentials. The attack unfolded in three distinct phases, impacting 2,180 accounts and 7,200 repositories. The attack exploited a vulnerable workflow in the nx repository to publish malicious versions of the nx package and supporting plugins. The compromised packages scanned file systems for credentials and sent them to attacker-controlled GitHub repositories. The attack impacted over 1,346 repositories and affected Linux and macOS systems. The nx maintainers identified the root cause as a vulnerable workflow added on August 21, 2025, that allowed for the injection of executable code via a pull request title. The malicious packages were published on August 26, 2025, and have since been removed from the npm registry. The attackers leveraged the GITHUB_TOKEN to trigger the publish workflow and exfiltrate the npm token. The malicious postinstall script scanned systems for text files, collected credentials, and sent them to publicly accessible GitHub repositories. The script also modified .zshrc and .bashrc files to shut down the machine immediately upon user interaction. The nx maintainers have rotated npm and GitHub tokens, audited activities, and updated publish access to require two-factor authentication. Wiz researchers identified a second attack wave impacting over 190 users/organizations and over 3,000 repositories. The second wave involved making private repositories public and creating forks to preserve data. GitGuardian's analysis revealed that 33% of compromised systems had at least one LLM client installed, and 85% were running Apple macOS. The attack took approximately four hours from start to finish. AI-powered CLI tools were used to dynamically scan for high-value secrets. The malware created public repositories on GitHub to store stolen data. The attack impacted over 1,000 developers, exfiltrating around 20,000 sensitive files. The malware modified shell startup files to crash systems upon terminal access. The attack was detected by multiple cybersecurity vendors. The malicious packages were removed from npm at 2:44 a.m. UTC on August 27, 2025. GitHub disabled all singularity-repository instances by 9 a.m. UTC on August 27, 2025. Around 90% of leaked GitHub tokens remain active as of August 28, 2025.

Malicious PyPI and npm Packages Exploit Dependencies in Supply Chain Attacks

Cybersecurity researchers have identified malicious packages in the Python Package Index (PyPI) and npm repositories that exploit dependencies to execute supply chain attacks. The PyPI package termncolor, with 355 downloads, and its dependency colorinal, with 529 downloads, were found to perform DLL side-loading to achieve persistence and remote code execution. The malware can infect both Windows and Linux systems. Additionally, npm packages were discovered to harvest sensitive data, including iCloud Keychain, web browser, and cryptocurrency wallet information. The attacks highlight the risks associated with automated dependency upgrades and the importance of monitoring open-source ecosystems for potential threats. In a recent supply chain attack, attackers injected malware into npm packages with over 2.6 billion weekly downloads after compromising a maintainer's account in a phishing attack. The attack impacted roughly 10% of all cloud environments. The malware operates by injecting itself into the web browser, monitoring cryptocurrency transactions, and redirecting them to attacker-controlled wallet addresses. The compromised packages include debug, chalk, and ansi-styles, among others. The impact of the attack is limited to fresh installs between ~9 AM and ~11.30 AM ET on September 8, 2025, when the packages were compromised. This attack follows a series of similar incidents targeting JavaScript libraries, highlighting the ongoing threat to the open-source ecosystem.