Cybersecurity researchers have discovered a malicious NPM package with stealth capabilities to inject malicious code into desktop apps for cryptocurrency wallets such as Atomic and Exodus on Windows systems.
A package named NodeJS-SMTP disguises legitimate email library node mail with the same catchphrase, page styling and README descriptions, and has collected a total of 347 downloads since it was uploaded to the NPM registry in April 2025 by a user named “Nikotimon.” It is currently no longer available.
“In import, the package uses electronic tools to unpack the app in the atomic wallet, replace the vendor bundle with a malicious payload, repackage the application, remove the working directory and remove the trace.”
The main purpose is to overwrite recipient addresses with hardcoded wallets controlled by threat actors, and to redirect Bitcoin (BTC), Ethereum (ETH), Tether (USDT and TRX USDT), XRP (XRP), and Solana (SOL) transactions.
That being said, this package provides specified functionality by acting as an SMTP-based mailer to avoid any developer doubt.
The package still acts as a mailer and exposes a drop-in interface that is compatible with nodemailer. Its feature cover reduces doubt, passes application tests, and has little reason to raise developers question their dependencies.
The development comes months after ReverSingLabs discovered an NPM package named “PDF-to-Office.” This achieved the same goal by unpacking the “app.asar” archives associated with Atomic and Exodus wallets and modifying the JavaScript file to introduce clipper functions.
“This campaign shows how routine imports to developer workstations can quietly modify other desktop applications and maintain them throughout the entire reboot,” Boychenko said. “By running import times and abuse electronic packages, a look-like mailer becomes a wallet drainer that transforms atomic and exit on compromised Windows systems.”
Source link
