Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Nodejs-smtp malicious npm wallet clipper

Malware Activity
First reported
Last updated
Happening score
H score 22
1 unique sources, 1 articles

Summary

Hide ▲

The malicious npm package nodejs-smtp is modifying Atomic Wallet and other desktop wallet apps on Windows to redirect cryptocurrency transfers to attacker-controlled wallets. It impersonates nodemailer, uses Electron tooling to alter the application during import, and behaves as a wallet clipper rather than a normal mailer. The activity creates immediate theft risk for BTC, ETH, USDT, XRP, and SOL transfers on affected desktop systems.

Related Happenings

Famous Chollima PromptMink supply-chain campaign targeting Web3 developers

Campaign
First: 29.04.2026 17:43 Last: 29.04.2026 17:43 Sources 1

About this happening: The **PromptMink** campaign is widening **Famous Chollima**'s supply-chain intrusion playbook by pushing **tainted npm packages** into developer environments and stealing secrets....

Open Happening

Malicious npm packages @automagik/genie and pgserve self-propagating malware

Malware Activity
First: 24.04.2026 11:10 Last: 24.04.2026 11:10 Sources 1

About this happening: **Malicious npm packages** are distributing **credential-stealing malware** that runs during installation and **self-propagates** across developer ecosystems, raising supply-chain...

Open Happening

Npm supply-chain worm that steals publishing tokens and self-propagates

Malware Activity
First: 22.04.2026 15:57 Last: 22.04.2026 15:57 Sources 1

About this happening: A **new npm supply-chain worm** is stealing **developer publishing tokens** and using them to **self-propagate** through republished packages, creating the risk of broader comprom...

Open Happening

GlassWorm multi-stage data-theft malware evolution

Malware Activity
First: 25.03.2026 16:26 Last: 25.03.2026 16:26 Sources 1

About this happening: The **GlassWorm** malware family has evolved into a **multi-stage** payload chain that steals browser data and crypto-wallet information, increasing risk for **Windows** and **mac...

Open Happening

CanisterWorm self-propagation across npm packages

Malware Activity
First: 21.03.2026 09:28 Last: 21.03.2026 09:28 Sources 1

About this happening: A **self-propagating npm supply-chain worm** tracked as **CanisterSprawl** is abusing **stolen developer npm tokens** to spread through compromised packages. **Socket** and **Step...

Open Happening

Timeline

  1. 02.09.2025 07:40 2 articles · 8mo ago

    Malicious npm package nodejs-smtp hijacks Atomic Wallet and Exodus installs

    Initial Disclosure

    Security researchers identified the npm package nodejs-smtp as a malicious lookalike for nodemailer after it was found using Electron tooling on Windows to unpack Atomic Wallet's app.asar, replace a vendor bundle with a malicious payload, repackage the application, and delete its working directory. The package also behaves as an SMTP mailer to reduce suspicion while overwriting recipient addresses and redirecting BTC, ETH, USDT, XRP, and SOL transfers to attacker-controlled wallets.

    Show sources
    Open in new tab