Cybersecurity experts have disclosed information regarding a malware campaign that is targeting Ethereum, XRP, and Solana.
This attack primarily focuses on users of Atomic and Exodus wallets, utilizing compromised node package manager (NPM) packages as its method of infiltration.
It stealthily redirects transactions to addresses controlled by the attackers, all without the wallet owner’s awareness.
The infiltration begins when developers unknowingly include trojanized npm packages within their projects. Researchers have highlighted “pdf-to-office” as a suspicious package that masquerades as legitimate while concealing harmful code.
After installation, this package scans for existing cryptocurrency wallets on the system and injects malicious code designed to intercept transactions.
‘Increase in targeting’
According to the report, “This recent campaign signifies a heightened focus on attacking cryptocurrency users via software supply chain breaches.”
The malware has the ability to reroute transactions across various cryptocurrencies, including Ethereum (ETH), Tron-based USDT, XRP (XRP), and Solana (SOL).
Through analysis of suspicious npm packages, ReversingLabs uncovered the campaign and identified numerous signs of malicious activity, such as questionable URL connections and code patterns previously linked to known threats. Their technical investigation reveals a sophisticated, multi-stage attack that employs advanced obfuscation techniques to avoid detection.
The infection initiates when the harmful package executes its payload aimed at wallet software installed on the device. The code specifically seeks out application files located in designated paths.
Upon locating these files, the malware extracts the application archive through code that generates temporary directories, retrieves the application files, injects the malicious code, and subsequently re packages everything to appear unaffected.
It alters the transaction handling code to substitute legitimate wallet addresses with those belonging to the attackers, using base64 encoding for concealment.
For instance, if a user tries to send ETH, the code will replace the recipient’s address with an attacker’s address decoded from a base64 string.
The ramifications of this malware can be dire, as transactions appear unaffected within the wallet interface while funds are being redirected to the attackers.
Users lack any visual cues that their transactions have been compromised until they examine the blockchain transaction and realize that their funds have been sent to an unfamiliar address.