Hijacking wallets with malicious patches. [Research Saturday] - CyberWire Daily

Summary5 min read

CyberWire Daily: Hijacking Wallets with Malicious Patches [Research Saturday]

Release Date: May 10, 2025
Host/Author: N2K Networks
Description: The daily cybersecurity news and analysis industry leaders depend on. Published each weekday, the program also includes interviews with a wide spectrum of experts from industry, academia, and research organizations all over the world.

Introduction

In this episode of CyberWire Daily, host Dave Bittner engages with Lucia Valentich, a software threat researcher from Reversing Labs, to discuss a concerning development in the cybersecurity landscape: the hijacking of crypto wallets through malicious NPM (Node Package Manager) packages. The research, titled "Atomic and Exodus Crypto Wallets targeted in malicious NPM campaign," delves into how attackers manipulate legitimate software to siphon cryptocurrency funds.

Overview of the Malicious NPM Package Campaign

Lucia Valentich explains the emergence of malicious NPM packages targeting the cryptocurrency community. Over recent months, an uptick in such packages has raised alarms among security researchers.

[01:15] Lucia Valentich: "This malicious NPM package puts malicious payload inside other locally installed software Atomic Wallet and Exodus in this case."

The specific package under scrutiny was flagged by Reversing Labs' machine learning model for containing obfuscated JavaScript files, a common tactic to hide malicious intent.

Tactics Employed by Attackers

The attackers employed several deceptive techniques to distribute their malicious packages:

Misleading Naming Conventions: The package was deceptively named "PDF to Office," which sounds benign and useful to developers.

[03:02] Dave Bittner: "As is often the case, the name PDF to Office sounds harmless."
Typosquatting and Wordplay: Attackers create package names similar to legitimate ones or use wordplay to trick developers into downloading them.

[03:15] Lucia Valentich: "They use typosquatting... they think developers are more keen to download it."

These strategies increase the likelihood of developers inadvertently installing the malicious packages.

Mechanism of the Attack

Once the malicious NPM package is installed, it performs the following actions:

Detection of Target Wallets: The package checks if Atomic Wallet or Exodus Wallet is installed on the victim's computer.
Trojanizing Legitimate Files: If either wallet is detected, the attacker overwrites legitimate files within the wallet software with tampered versions. These modified files maintain the original functionality but include additional code that alters outgoing cryptocurrency transactions.

[04:57] Lucia Valentich: "Malicious payload... switches out outgoing address of a crypto fund, resulting in funds being redirected to the attacker's wallet."

This method enables attackers to stealthily redirect funds without disrupting the user's experience.

Persistence Mechanism

A particularly alarming aspect of this campaign is the persistence of the malicious payload:

[05:35] Lucia Valentich: "Malicious payload is still there. So once you find out that package is maybe malicious, you remove it. But the malicious payload would stay still in Atomic Wallet software and an Exodus Wallet software."

This means that even after uninstalling the malicious NPM package, the compromised wallet software remains vulnerable until it is manually reinstalled.

Targeting and Scope

The attackers specifically targeted the latest versions of Atomic and Exodus Wallets to maximize the reach:

[09:49] Lucia Valentich: "They targeted particularly at that time the last two versions of Atomic Wallet and the latest version at the time of Exodus Wallet."

There was no specific geographic targeting, indicating a broad malicious intent aimed at any user running these wallet versions.

Attribution of the Attack

While the exact perpetrators remain unidentified, Lucia suggests potential culprits:

[11:01] Lucia Valentich: "Probably there are threat actors, threat groups that are going for crypto community lately. I know that North Korea is most likely to go after crypto community, but I'm not saying that in this case..."

The motivation appears to be financially driven, aligning with the broader trend of crypto-related cybercrimes.

Disclosure and Community Response

Upon discovering the malicious behavior, Reversing Labs took immediate action:

Reporting to NPM Managers: The malicious package was reported, leading to its eventual removal—likely by the package author themselves due to the absence of security holds.
Community Awareness: The threat was further disseminated via Spectre's community page, where the package was marked as malicious to inform other developers and users.

[12:07] Lucia Valentich: "We have marked that package as malicious on that site."

Implications for Supply Chain Security

This incident underscores the vulnerabilities inherent in open-source ecosystems like NPM:

[12:55] Lucia Valentich: "It only solidifies the threat to crypto community... malicious sectors are always trying to find new ways to hide malware, to inject malicious payload somewhere."

The ease with which attackers can inject malicious code into widely used packages highlights the critical need for robust supply chain security measures.

Recommendations for Users

Lucia provides actionable advice for users of crypto wallets:

Vigilance: Users should remain aware of the potential for malicious NPM packages targeting their crypto-related software.
Mitigation Steps: If a malicious package is detected, users should:
- Remove the Malicious Package: Uninstall the compromised NPM package.
- Reinstall Affected Software: Reinstall the affected wallet software (e.g., Atomic or Exodus) to eliminate the persistent malicious payload.
[14:23] Lucia Valentich: "This particular you should remove malicious package and you should reinstall those versions of Atomic Wallet and Exodus Wallet as well."

Recommendations for Package Managers

To bolster defense against such threats, Lucia suggests improvements for platforms like NPM:

[15:26] Lucia Valentich: "Maybe work closely with some threat researchers on taking down malicious NPM packages... making community more healthy and more safe."

Enhanced collaboration between package managers and security researchers can lead to quicker identification and removal of malicious packages, safeguarding the broader developer community.

Conclusion

The episode highlights a sophisticated method of compromising cryptocurrency wallets through malicious NPM packages. By embedding malicious payloads within legitimate software, attackers can persistently redirect funds without immediate detection. This case serves as a stark reminder of the ongoing threats within the open-source supply chain and the critical importance of vigilant security practices among developers and users alike.

Notable Quotes:

Lucia Valentich [01:15]: "This malicious NPM package puts malicious payload inside other locally installed software Atomic Wallet and Exodus in this case."
Dave Bittner [03:02]: "As is often the case, the name PDF to Office sounds harmless."
Lucia Valentich [12:55]: "It only solidifies the threat to crypto community... they don’t have to hijack anything. They just need to inject malicious payload in already installed NPM packages."
Lucia Valentich [14:23]: "If you're using any crypto related software... remove malicious package and reinstall those versions of Atomic Wallet and Exodus Wallet as well."

For more detailed insights and ongoing coverage of cybersecurity threats, stay tuned to CyberWire Daily powered by N2K Networks.

Loading summary

Transcript32 lines

[00:02]
Lucia Valentich
You're listening to the Cyberwire Network powered by N2K.
[00:13]
Dave Bittner
What's the common denominator in security incidents? Escalations and lateral movement. When a privileged account is compromised, attackers can seize control of critical assets with bad directory hygiene and years of technical debt. Identity attack paths are easy targets for threat actors to exploit, but hard for defenders to detect. This poses risk in active directory, entra ID and hybrid configurations. Identity leaders are reducing such risks with attack path management. You can learn how attack path management is connecting identity and security teams while reducing risk with Bloodhound Enterprise powered by Spectrops. Head to Spectrops IO today to learn more Spectrops See your attack paths the way adversaries do.
[01:16]
Lucia Valentich
This malicious NPM package puts malicious payload inside other locally installed software Atomic Wallet and Exodus in this case. So malicious payload is still there. That means once you find out that that package is maybe malicious, you remove it. But the malicious payload would stay still in Atomic Wallet software and an Exodus Wallet software. So you would still be left with malicious payload even if you delete malicious NPM pack.
[02:01]
Dave Bittner
That's Lucia Valentich, software threat researcher from Reversing Labs. The research we're discussing today is titled Atomic and Exodus Crypto Wallets targeted in malicious NPM campaign.
[02:22]
Lucia Valentich
In the last couple of months on NPM there are a lot of packages that are malicious NPM packages that are targeting crypto community, so we are paying close attention to those kind of packages. This package in particular was marked as suspicious by our ML model. It was also marked as suspicious because it had JavaScript obfuscated file inside. So of course we decided to check it because we had a couple of different channels pointing us to the suspicion of the package. And it never hurts to check files that have JavaScript obfuscated, of course.
[03:02]
Dave Bittner
Yeah. Well, as is often the case, the name PDF to Office sounds harmless. I suppose this is a common tactic of attackers using these sorts of useful names.
[03:16]
Lucia Valentich
Yes, of course there are a couple of things they use. They use typosquatting, so they take some legitimate NPM package name and they just add a few letters. Sometimes they use legitimate NPM package name and then they, you know, make wordplay on that name. And sometimes they just think of some names themselves that they think developers could use could download, that they think could be useful to developers. So of course developers are more keen to download it.
[03:50]
Dave Bittner
Well, let's walk through this together. How would someone find themselves with this package installed and what happens after it.
[03:58]
Lucia Valentich
Is so this package, it's very simple. It doesn't try to mimic anything. It has very few files. It only tries to pass by a package that transfers to that converts PDF files to documents to office files. But this package, once installed, actually does of course, malicious things. It checks if Atomic Wallet or if Exodus Wallet is installed on victim's computer. And then if it is, it overwrites legitimate files inside with troianized versions. And the legitimate files that are overwritten are used. For example, if you are using Atomic Wallet or Exodus Wallet and you are sending crypto funds to some other users functions in those legitimate files that are overwritten are used. So of course Troy Nice versions have the same functionality as legitimate files, but few code lines are added. Malicious payload that is added just switches out outgoing address of a crypto fund. Of course, that results in malicious actors channeling crypto funds that victim would send to someone else to his own crypto wallet.
[05:27]
Dave Bittner
What about persistence here? How did they stay on the victim's machine even after that NPM package was uninstalled?
[05:36]
Lucia Valentich
So that is very interesting because usually we see NPM packages, malicious ones that have download payloads or are info stealers. So they have malicious payloads inside them. This malicious NPM package puts malicious payload inside other locally installed installed software. Atomic Wallet and Exodus in this case. So malicious payload is still there. So that means, which is a little bit scary. That means once you find out that that package is maybe malicious, you remove it. But the malicious payload would stay still in Atomic Wallet software and an Exodus Wallet software. So you would still be left with malicious payload even if you delete malicious NPM package.
[06:31]
Dave Bittner
So it's actually modifying the Atomic or Exodus Wallets themselves.
[06:36]
Lucia Valentich
So I just want to clarify that Atomic Wallet and Exodus Wallets legitimate software installers on legitimate sites were not hijacked, but locally installed software were being hijacked.
[06:52]
Dave Bittner
I see. Are there any obfuscation or anti analysis techniques that are used to hide the intent of the code?
[07:01]
Lucia Valentich
Yes, of course. So usually malicious actors really like to use JavaScript obfuscator. Of course it doesn't mean if some file is obfuscated with JavaScript obfuscator, it's malicious all of a sudden. But it doesn't hurt to check. So this malicious payload in NPM package was obfuscated with JavaScript obfuscator. I think it was obfuscated with very simple version because it was very easy to deoffuscate. Also had malicious payload that would be injected into legitimate files was obfuscator or particularly more better say encoded with base 64. It was very easily. They obfuscated, but it was still, you know, a little bit hidden.
[07:57]
Dave Bittner
We'll be right back. And now a word from our sponsor, ThreatLocker. Keeping your system secure shouldn't mean constantly reacting to threats. ThreatLocker helps you take a different approach by giving you full control over what software can run in your environment. If it's not approved, it doesn't run. Simple as that. It's a way to stop ransomware and other attacks before they start without adding extra complexity to your day. See how ThreatLocker can help you lock down your environment at www.threatlocker.com foreign and now a word from our sponsor. Spy Cloud identity is the new battleground and attackers are exploiting stolen identities to infiltrate your organization. Traditional defenses can't keep up. Spy Cloud's holistic identity threat protection helps security teams uncover and automatically remediate hidden exposures across your users from breaches, malware and phishing. To neutralize identity based threats like account takeover, fraud and ransomware. Don't let invisible threats compromise your business. Get your free corporate darknet exposure report@spycloud.com cyberwire and see what attackers already know. That's spycloud.com cyberwire let's talk about the targeting and the scope here. Were they going after specific operating systems or versions of the Wallet or even user configurations?
[09:49]
Lucia Valentich
So they targeted particularly at that time the last two versions of Atomic Wallet and the latest version at the time of of Exodus Wallet. Because between few versions of Atomic Wallet install files are different, they have different names. So they targeted particularly those two, the latest versions they had because they probably thought that anyone who used Atomic Wallet would update it soon or would have the latest version. So they wanted to make sure that they catch the most people they can with their malicious packages.
[10:30]
Dave Bittner
Yeah, that's interesting. Was there any particular geographic distribution in terms of who they're going after? Any countries that they focused on?
[10:39]
Lucia Valentich
Not particular that they just checked if the user had installed Intomic Wallet or Exodus Wallet. They didn't check geographic IP addresses or anything, at least in these packages. Maybe there are some out there that they do that.
[10:56]
Dave Bittner
I see. Any indication as who might be behind this attack?
[11:01]
Lucia Valentich
Well, we are not quite sure because there is no other metadata or nothing that is connected with those packages that we found. So we cannot point to anything. But probably there are threat actors, threat groups that are going for crypto community lately. I know that North Korea is most likely to go after crypto community, but I'm not saying that in this case it's connected with it, maybe some threat actor that it's lone wolf and he's just trying to get crypto funds taken away.
[11:39]
Dave Bittner
So it seems to be likely that this is financially motivated, of course, because.
[11:46]
Lucia Valentich
Like with any crypto attack, they are trying to get funds, they're trying to steal funds in a very secretive way, a very persistent way.
[11:56]
Dave Bittner
So, yeah, well, let's talk about disclosure here. I mean, once you confirmed this malicious behavior, what sort of steps did you take to alert the broader community?
[12:07]
Lucia Valentich
So of course we reported it to the NPM managers, but before they could take the package down, it was probably taken down by the author of the malicious package because there is no security holding version. So probably it was just taken down. We also have Spectre sure community page where we have all repos, public repositories and packages. And of course there you can see what package is malicious and what package is goodware. And of course we have marked that package as malicious on that site.
[12:45]
Dave Bittner
But looking at the big picture here, what does this particular incident say about supply chain security in an open source ecosystem like npm?
[12:56]
Lucia Valentich
Of course it only solidifies the threat to crypto community because in the end of the last year we had a couple of big crypto community attacks. Some big legitimate crypto packages were hijacked or packaged legitimate packages were hijacked and were injected with malicious payloads that targeted crypto community. So it only solidifies that crypto community is obviously very vulnerable now and everyone is trying to steal funds. But it also highlights the idea that malicious sectors are always trying to find new ways to hide malware, to inject malicious payload somewhere. They also, you know, they were trying to before they were trying to hijack some packages, but now they found an easier way because this time they don't have to hijack anything. They just need to inject malicious payload in already installed NPM packages, which is much easier and it's a little bit harder to detect and a bit more persistent.
[14:12]
Dave Bittner
So, yes, what are your recommendations then for if someone's a user of Atomic or Exodus Wallets, what sort of things should they look out for?
[14:24]
Lucia Valentich
I mean, like in basically if you're using any, not just Atomic Wallet or Exodus Wallet, but if you're using any crypto related software or crypto related package, I think you should be on a lookout. I think you should be aware that there are malicious NPM packages or, you know, malicious threat actors targeting you. Because crypto communities, especially on NPM, at least are targeted now. But also you as a developer, you as a user of Atomic Wallet and Exodus. In this case, if you have the versions that are affected and accidentally installed malicious package, this particular you should remove malicious package and you should reinstall those versions of Atomic Wallet and Exodus Wallet as well.
[15:18]
Dave Bittner
Are there any improvements that you'd like to see from package managers like NPM to help defend against this sort of thing in the future?
[15:27]
Lucia Valentich
I think maybe work I'm not sure if they are doing it already, but maybe work closely with some threat researchers on taking down malicious NPM packages or PIPI packages or anything. I'm not sure who is doing what, but I think that would help in in making community more healthy and more safe.
[16:01]
Dave Bittner
Our thanks to Lucia Valentich from Reversing Labs for joining us. The research is titled Atomic and Exodus Crypto Wallets Targeted in Malicious NPM Campaign. We'll have a link in the Show Notes and that's Research Saturday, brought to you by N2K CyberWire. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the Show Notes or send an email to cyber wire@n2k.com this episode was produced by Liz Stokes. We're mixed by Elliot Peltzman and Trey Hester. Our executive producer is Jennifer Ivan. Peter Kilby is our publisher and I'm Dave Bittner. Thanks for listening. We'll see you back here next time.