tl;dr
Cybercriminals are targeting users of Atomic and Exodus wallets through open-source software repositories, distributing malware-laced packages to compromise private keys and drain digital assets. ReversingLabs uncovered a campaign where attackers compromised Node Package Manager libraries, disguisin...
Cybercriminals are targeting users of Atomic and Exodus wallets through open-source software repositories, distributing malware-laced packages to compromise private keys and drain digital assets. ReversingLabs uncovered a campaign where attackers compromised Node Package Manager libraries, disguising malware as legitimate tools. The malware executes a multi-phase attack, including a clipboard hijacker to alter wallet addresses during transactions. It also collects system details and maintains persistence even after the deceptive package is deleted. Kaspersky researchers reported a parallel campaign using SourceForge, with cybercriminals uploading fake Microsoft Office installers embedded with malware. These incidents highlight a surge in open-source abuse and emphasize the need for vigilance, verified software sources, and strong security practices. Over $1.5 billion in crypto assets were lost to exploits in Q1 2025 alone, emphasizing the growing threats to crypto users and developers.
ReversingLabs, a cybersecurity firm, has uncovered a malicious campaign where attackers compromised Node Package Manager (NPM) libraries. These libraries, often disguised as legitimate tools like PDF-to-Office converters, carry hidden malware. Once installed, the malicious code executes a multi-phase attack. First, the software scans the infected device for crypto wallets. Then, it injects harmful code into the system. This includes a clipboard hijacker that silently alters wallet addresses during transactions, rerouting funds to wallets controlled by the attackers. Moreover, the malware also collects system details and monitors how successfully it infiltrated each target. This intelligence allows threat actors to improve their methods and scale future attacks more effectively. Meanwhile, ReversingLabs also noted that the malware maintains persistence. Even if the deceptive package, such as pdf-to-office, is deleted, remnants of the malicious code remain active. To fully cleanse a system, users must uninstall affected crypto wallet software and reinstall from verified sources. Security experts noted that the scope of the threat highlights the growing software supply chain risks threatening the industry.
This week, Kaspersky researchers reported a parallel campaign using SourceForge, where cybercriminals uploaded fake Microsoft Office installers embedded with malware. These infected files included clipboard hijackers and crypto miners, posing as legitimate software but operating silently in the background to compromise wallets. The incidents highlight a surge in open-source abuse and present a disturbing trend of attackers increasingly hiding malware inside software packages developers trust. Considering the prominence of these attacks, crypto users and developers are urged to remain vigilant, verify software sources, and implement strong security practices to mitigate growing threats. According to DeFiLlama, over $1.5 billion in crypto assets were lost to exploits in Q1 2025 alone. The largest incident involved a $1.4 billion Bybit breach in February.