CyberWire Daily: Hijacking Wallets with Malicious Patches [Research Saturday]
Release Date: May 10, 2025
Host/Author: N2K Networks
Description: The daily cybersecurity news and analysis industry leaders depend on. Published each weekday, the program also includes interviews with a wide spectrum of experts from industry, academia, and research organizations all over the world.
Introduction
In this episode of CyberWire Daily, host Dave Bittner engages with Lucia Valentich, a software threat researcher from Reversing Labs, to discuss a concerning development in the cybersecurity landscape: the hijacking of crypto wallets through malicious NPM (Node Package Manager) packages. The research, titled "Atomic and Exodus Crypto Wallets targeted in malicious NPM campaign," delves into how attackers manipulate legitimate software to siphon cryptocurrency funds.
Overview of the Malicious NPM Package Campaign
Lucia Valentich explains the emergence of malicious NPM packages targeting the cryptocurrency community. Over recent months, an uptick in such packages has raised alarms among security researchers.
[01:15] Lucia Valentich: "This malicious NPM package puts malicious payload inside other locally installed software Atomic Wallet and Exodus in this case."
The specific package under scrutiny was flagged by Reversing Labs' machine learning model for containing obfuscated JavaScript files, a common tactic to hide malicious intent.
Tactics Employed by Attackers
The attackers employed several deceptive techniques to distribute their malicious packages:
-
Misleading Naming Conventions: The package was deceptively named "PDF to Office," which sounds benign and useful to developers.
[03:02] Dave Bittner: "As is often the case, the name PDF to Office sounds harmless."
-
Typosquatting and Wordplay: Attackers create package names similar to legitimate ones or use wordplay to trick developers into downloading them.
[03:15] Lucia Valentich: "They use typosquatting... they think developers are more keen to download it."
These strategies increase the likelihood of developers inadvertently installing the malicious packages.
Mechanism of the Attack
Once the malicious NPM package is installed, it performs the following actions:
-
Detection of Target Wallets: The package checks if Atomic Wallet or Exodus Wallet is installed on the victim's computer.
-
Trojanizing Legitimate Files: If either wallet is detected, the attacker overwrites legitimate files within the wallet software with tampered versions. These modified files maintain the original functionality but include additional code that alters outgoing cryptocurrency transactions.
[04:57] Lucia Valentich: "Malicious payload... switches out outgoing address of a crypto fund, resulting in funds being redirected to the attacker's wallet."
This method enables attackers to stealthily redirect funds without disrupting the user's experience.
Persistence Mechanism
A particularly alarming aspect of this campaign is the persistence of the malicious payload:
[05:35] Lucia Valentich: "Malicious payload is still there. So once you find out that package is maybe malicious, you remove it. But the malicious payload would stay still in Atomic Wallet software and an Exodus Wallet software."
This means that even after uninstalling the malicious NPM package, the compromised wallet software remains vulnerable until it is manually reinstalled.
Targeting and Scope
The attackers specifically targeted the latest versions of Atomic and Exodus Wallets to maximize the reach:
[09:49] Lucia Valentich: "They targeted particularly at that time the last two versions of Atomic Wallet and the latest version at the time of Exodus Wallet."
There was no specific geographic targeting, indicating a broad malicious intent aimed at any user running these wallet versions.
Attribution of the Attack
While the exact perpetrators remain unidentified, Lucia suggests potential culprits:
[11:01] Lucia Valentich: "Probably there are threat actors, threat groups that are going for crypto community lately. I know that North Korea is most likely to go after crypto community, but I'm not saying that in this case..."
The motivation appears to be financially driven, aligning with the broader trend of crypto-related cybercrimes.
Disclosure and Community Response
Upon discovering the malicious behavior, Reversing Labs took immediate action:
-
Reporting to NPM Managers: The malicious package was reported, leading to its eventual removal—likely by the package author themselves due to the absence of security holds.
-
Community Awareness: The threat was further disseminated via Spectre's community page, where the package was marked as malicious to inform other developers and users.
[12:07] Lucia Valentich: "We have marked that package as malicious on that site."
Implications for Supply Chain Security
This incident underscores the vulnerabilities inherent in open-source ecosystems like NPM:
[12:55] Lucia Valentich: "It only solidifies the threat to crypto community... malicious sectors are always trying to find new ways to hide malware, to inject malicious payload somewhere."
The ease with which attackers can inject malicious code into widely used packages highlights the critical need for robust supply chain security measures.
Recommendations for Users
Lucia provides actionable advice for users of crypto wallets:
-
Vigilance: Users should remain aware of the potential for malicious NPM packages targeting their crypto-related software.
-
Mitigation Steps: If a malicious package is detected, users should:
- Remove the Malicious Package: Uninstall the compromised NPM package.
- Reinstall Affected Software: Reinstall the affected wallet software (e.g., Atomic or Exodus) to eliminate the persistent malicious payload.
[14:23] Lucia Valentich: "This particular you should remove malicious package and you should reinstall those versions of Atomic Wallet and Exodus Wallet as well."
Recommendations for Package Managers
To bolster defense against such threats, Lucia suggests improvements for platforms like NPM:
[15:26] Lucia Valentich: "Maybe work closely with some threat researchers on taking down malicious NPM packages... making community more healthy and more safe."
Enhanced collaboration between package managers and security researchers can lead to quicker identification and removal of malicious packages, safeguarding the broader developer community.
Conclusion
The episode highlights a sophisticated method of compromising cryptocurrency wallets through malicious NPM packages. By embedding malicious payloads within legitimate software, attackers can persistently redirect funds without immediate detection. This case serves as a stark reminder of the ongoing threats within the open-source supply chain and the critical importance of vigilant security practices among developers and users alike.
Notable Quotes:
-
Lucia Valentich [01:15]: "This malicious NPM package puts malicious payload inside other locally installed software Atomic Wallet and Exodus in this case."
-
Dave Bittner [03:02]: "As is often the case, the name PDF to Office sounds harmless."
-
Lucia Valentich [12:55]: "It only solidifies the threat to crypto community... they don’t have to hijack anything. They just need to inject malicious payload in already installed NPM packages."
-
Lucia Valentich [14:23]: "If you're using any crypto related software... remove malicious package and reinstall those versions of Atomic Wallet and Exodus Wallet as well."
For more detailed insights and ongoing coverage of cybersecurity threats, stay tuned to CyberWire Daily powered by N2K Networks.
![Hijacking wallets with malicious patches. [Research Saturday] - CyberWire Daily cover](/_next/image?url=https%3A%2F%2Fmegaphone.imgix.net%2Fpodcasts%2F58ab7ae0-def8-11ea-b34c-b35b208b0539%2Fimage%2Fdaily-podcast-cover-art-cw.png%3Fixlib%3Drails-4.3.1%26max-w%3D3000%26max-h%3D3000%26fit%3Dcrop%26auto%3Dformat%2Ccompress&w=1200&q=75)