1 day Ago
In a harrowing incident of recent times, researchers identified a sophisticated attack that siphons funds from popular cryptocurrency wallets, such as Atomic and Exodus, as part of an increasing trend of cyber attacks targeting the cryptocurrency ecosystem. In this case, attackers are using maleficent npm (node package manager) libraries against unsuspecting developers to extract transactions sent for transfer to their wallets. This is one more in a long line of software supply chain attacks increasingly targeting ‘invisibly tracking’ transaction manipulation, leaving little change for all crypto users to bear.
Trojan Horse ‘pdf-to-office’ Package Used to Compromise The attack starts when developers unknowingly install a trozanised npm package called ‘pdf-to-office,’ which pretends to be a valid library for PDF-to-Microsoft Office document conversion. But once installed, this package secretly searches the user’s system for cryptocurrency wallets and injects stealthy malicious code into the wallet software. This code, when run, can reroute cryptocurrency transactions, including those for Ethereum , Solana, XRP, and Tron-based USDT, to the attackers’ wallet.
The package looks innocent but contains a deadly payload that can ruin crypto users who do not detect the intrusion. Researchers Detect Attack Via Suspicious npm Activity Reversing Labs, a cybersecurity company that scanned suspicious npm packages, unearthed the attack. They discovered many signs of malicious activity, such as abnormal URL connections and code patterns that matched other known threats previously detected.
The new campaign, which began in early April, is unique due to its multi-layered infection mechanism and the persistence of its attack. Once the malicious code is injected into the wallet applications, it runs in stealth mode, hijacking transactions and modifying wallet addresses silently in real time. This stealthy attack behaviour makes it extremely hard for users to identify the intrusion before it is too late.
A Multi-Stage Infection Process The infection starts once the compromised package is installed, with a malicious package scanning for wallet applications. For example, the malware focuses on Atomic wallet-related files by looking for the “AppData/Locals/Programs/atomic/resources/app.asar” path.
After finding these files, the malware unpacks and manipulates the application archive, injecting its evil code before reconstructing it. The attackers also aim at JavaScript files within the wallet program, including vendor files in charge of transactions, substituting valid wallet addresses with attacker-controlled addresses. The changes made to the added configuration are too sly, with the recipients’ address encoded in base64 to mask compromised code.
This change ensures that, unwittingly, the users send money to the attackers’ wallets. Seamless and Stealthy Attacks: Users in Dark What is scarier about this attack is that it goes so much beyond this extent of being in the shadows. Even though the wallet software seems to be running fine, users are unaware that the malicious code is working behind the scenes.
Except for the transaction showing on the interface, there is no other visual indication of fund diversion; hence, users might not even be aware of the breach until much later, during the examination of their blockchain transactions, when the unpleasant discovery is made: funds have been sent to an unknown address. Persistent Malware and Importance of Being Vigilant What is most insidious about this attack is how persistent it is. Even after the hacked npm package is removed, the malware persists in operating, and removing it becomes challenging for users to eliminate from their systems.
ReversingLabs’ findings show that such malware can outlast removal attempts and continues to operate on targeted systems, further complicating the efforts to neutralise the attack. Such persistence is clear as evidence of the growing threat of software supply chain attacks in the cryptocurrency environment. Crypto Users Need to Remain Vigilant Against Emerging Threats Wider adoption of cryptocurrency by now has surely led to the rise in cyber-criminal activities targeting unsuspecting users in software supply chain attacks with even higher levels of sophistication.
The pdf-to-office campaign lingers on as an ever-present reminder of threats in the npm environment and the need for caution in digital assets. Users of cryptocurrencies must watch over their wallets, be skeptical when downloading npm packages, and adopt well-supported security practices to protect their funds. In the ever-changing environments of cyber threats , it is better to be informed and take precautions against such attacks.
.
