Malicious npm Package Masquerades as Nodemailer, Drains Crypto Wallets

Researchers from Socket’s Threat Research Team have uncovered a dangerous npm package, nodejs-smtp, that impersonates the widely used nodemailer library to infiltrate developer environments and drain cryptocurrency wallets.

The malicious package nodejs-smtp pretends to be a drop-in replacement for nodemailer, a library averaging nearly 3.9 million weekly downloads.

Unlike many typosquats, this package goes beyond simple name mimicry. It includes a functional mailer API so that “the package still works as a mailer and exposes a drop-in interface compatible with nodemailer. That functional cover lowers suspicion, allows application tests to pass, and gives developers little reason to question the dependency.”

On import, the malicious package targets Atomic Wallet, a popular multi-currency wallet. Socket explains, “On import, the package uses Electron tooling to unpack Atomic Wallet’s app.asar, replace a vendor bundle with a malicious payload, repackage the application, and remove traces by deleting its working directory.”

Once inside the wallet runtime, the injected code silently hijacks outgoing crypto transactions. “The injected logic overwrites the recipient address during the send flow so the next transaction goes to wallets controlled by the threat actor.”

The attacker’s hardcoded wallet addresses cover a wide range of assets including Bitcoin (BTC), Ethereum (ETH), Tether (USDT & TRX USDT), XRP, and Solana (SOL), ensuring theft across major cryptocurrencies.

The malicious npm package was published under the alias nikotimon using the registration email darkhorse.tech322@gmail[.]com. At the time of Socket’s disclosure, “the threat actor has not yet accumulated significant funds, likely due to the recent launch of the malicious campaign. However, low financial volume does not equate to low risk. The tooling is deliberate, reusable, and scalable.”

Socket warns that the threat actor should be removed from the ecosystem before this trojanized mailer can cause large-scale financial harm.

Part of the danger lies in how convincing the package appears. Socket notes that “nodejs-smtp is not a simple typosquat of nodemailer, yet it can still land in projects because its name, README, and API look right to a hurried developer.”

With developers often searching for “nodejs smtp example” or relying on AI coding assistants, there’s an elevated chance of mistakenly pulling the malicious package. “LLMs further increase risk, since code assistants can hallucinate package names that look correct for a task.”

Related Posts:

• Malicious npm Packages Exploiting Typosquatting to Inject SSH Backdoors
• Malicious npm Packages Backdoor Telegram Bot Developers
• Solana Drainer Source Code Leak Reveals MS Drainer Connection, Underscores Growing Threat to Crypto Users
• Malicious npm Packages Threaten Crypto Developers: Keylogging and Wallet Theft Revealed
• An Ethereum Dev’s Wallet Drained by a Fake AI Extension