npm Malware Targets Atomic and Exodus Wallets to Steal Crypto Funds

The ReversingLabs (RL) research team has uncovered a sophisticated npm-based malware campaign in which a fake npm package, deceptively named pdf-to-office, targets locally installed Atomic and Exodus wallets to silently redirect outgoing crypto funds to attacker-controlled addresses.

“Threat actors have been targeting the cryptocurrency community hard lately,” warns the RL report, citing an alarming rise in attacks on the Web3 ecosystem.

Disguised as a benign PDF-to-Word converter, the malicious npm package was published on April 1. But rather than convert documents, it executed an obfuscated JavaScript payload that searched for Atomic and Exodus wallets installed on the host system.

“The package injected malicious code into legitimate, locally-installed crypto wallet software… overwriting existing, non-malicious files in the process.”

Once detected, pdf-to-office was briefly removed—likely by the attacker themselves—only to reappear days later in a slightly modified version, perpetuating the threat.

RL researchers deobfuscated the payload and found that it:

• Scans for specific versions of Atomic Wallet (2.90.6 and 2.91.5)
• Overwrites version-specific JS files inside the application bundle with altered versions
• Replaces the crypto destination address with the attacker’s base64-encoded wallet
• Exfiltrates install status to a remote server (hxxp://178[.]156[.]149[.]109/set-install-status)

“That was the only difference between the legitimate and trojanized file, except that the malicious version of the file was not minified.”

The same tactic was applied to Exodus Wallet, where the file src/app/ui/index.js was replaced in versions 25.13.3 and 25.9.2. Every crypto transaction attempted by the user was silently rerouted to the attacker’s wallet.

Adding a disturbing twist, RL observed the malware also collecting chat logs and trace files from AnyDesk:

“The AppData/Roaming/AnyDesk directory… was zipped and sent to hxxp://178[.]156[.]149[.]109/save-anydesk.”

This suggests a dual-purpose attack—crypto theft and reconnaissance—possibly for staging further attacks or covering tracks post-exfiltration.

Deleting the npm package isn’t enough. Once installed and executed, the trojanized wallet files persist, allowing the attackers to maintain control of future transactions.

“The only way to completely remove the malicious trojanized files… would be to remove [the wallets] completely from the computer and re-install them.”

As Web3 and decentralized finance continue to grow, crypto wallet software has become a high-value target. Attackers are now operating at the level of developer infrastructure, planting backdoors in packages that millions rely on.

Related Posts:

• Purrglar: Emerging Stealer Targets Chrome and Exodus Wallet Data on macOS
• Atomic Stealer Malware Returns in New Disguises, Targets Mac Users’ Sensitive Data
• Malware on npm “Patches” Local Packages with Reverse Shell