Threat actors continue to upload malicious packages to the NPM registry, tampering with legitimate libraries of the local version already installed and running malicious code in what is considered a silly attempt to stage software supply chain attacks.
The newly discovered package, named PDF-to-Office, pretends to be a utility for converting PDF files into Microsoft Word documents. However, in reality there is the ability to inject malicious code into atomic wallets and cryptocurrency wallet software related to Exodus.
“In effect, the victim who attempts to send crypto funds to another crypto wallet will have the intended wallet address exchanged with someone belonging to a malicious actor,” Lucija Valentić, a researcher at Reversinglabs, said in a report shared with Hacker News.
The NPM package in question was first published on March 24, 2025 and has received three updates since then, but it is not likely that the previous version will be removed by the author himself. The latest version 1.1.2 will be uploaded on April 8th and can be downloaded. The package has been downloaded 334 times so far.
This disclosure comes just weeks after security companies in the software supply chain discovered two NPM packages, named Ethers-Provider2 and Ethers-Providerz, designed to infect locally installed packages and establish a reverse shell that connects to the threat actor’s servers via SSH.
What makes this approach an attractive option for threat actors is that malware can last on developer systems even after malicious packages are removed.
Office analysis from PDF reveals that malicious code embedded in package checks exists in the “Atomic/Resources/App.Asar” archive in the “AppData/Local/Programs” folder.
“If an archive exists, malicious code overwrites one of the files with a new Trojan version with the same functionality as the legitimate file, but has switched the outbound crypto address to which the fund will be sent at the address of a Web3 wallet that is encoded with Base64 belonging to the threat actor,” Valentić said.
Similarly, the payload is designed to troilerize the file “SRC/APP/UI/INDEX.js” associated with the Exodus Wallet.
However, with an interesting twist, the attack targets two specific versions, both the atomic wallet (2.91.5 and 2.90.6) and the Exodus (25.13.3 and 25.9.2) to ensure that the correct JavaScript files are overwritten.
“Come to the point, if an office is removed from a packaged PDF from the computer, the software in the Web3 wallet will be compromised and crypto funds will continue to channel into the attacker’s wallet,” Valentić said. “The only way to completely remove malicious Trojanized files from Web3 Wallets software is to completely remove them and reinstall them from your computer.”
This disclosure is provided as a detailed 10 malicious visual studio code extensions with extensibility that disables Windows security, establishes persistence through scheduled tasks, and secretly downloads PowerShell scripts that install XMRIG CryptoMiner.
The extension was collectively installed over a million times before it was removed. The extension’s name is as follows:
Beautiful – VSCODE code (clean) Abundant presence of VS code (Mark H) Rojo – Roblox Studio Sync (by Evaera) Solidity Compiler (by Vscode Developer) Claude AI (Mark H) Golang Compiler (Mark H) ChatGPT Agent VSCODE (MARK HTML fuchcator) (by Mark H) vscode rust compiler (by Mark H)
“The attackers created sophisticated multi-stage attacks and installed legitimate extensions they disguised to avoid raising doubt while mining cryptocurrency in the background,” extensionTotal said.
Source link
