A wave of sophisticated software supply chain attacks has been detected, targeting cryptocurrency users through the manipulation of legitimate open-source software (OSS) packages.
Threat actors are employing stealthy techniques to introduce malicious payloads into trusted software libraries, exposing users of Web3 wallets to significant risks, including theft of funds.
Recent research conducted by cybersecurity firm ReversingLabs (RL) reveals these adversaries are exploiting OSS repositories to distribute trojanized libraries that modify locally installed software.
The latest campaign, uncovered on April 1, involves a malicious package named pdf-to-office uploaded on the npm platform.
Posing as a utility for converting PDF documents to Microsoft Office formats, the package secretly injected tampered code into popular crypto wallet software like Atomic Wallet and Exodus Wallet, enabling attackers to redirect cryptocurrency transactions to their own wallets.
Hijacking OSS and Stealing Crypto: A Multi-Pronged Attack
The attack strategy relies on exploiting trusted local installations of crypto wallets.
Once the malicious pdf-to-office package is installed, it searches for specific files in installations of Atomic Wallet and Exodus Wallet.
It then overwrites legitimate files with trojanized variants. These altered files functionally mimic the originals but replace outgoing cryptocurrency destination addresses with wallets controlled by the attackers.
The campaign notably targeted specific versions of these wallets, such as Atomic Wallet versions 2.90.6 and 2.91.5, tailoring the injected malicious files to align with version-specific configurations.
For Exodus Wallet, targeted versions included 25.13.3 and 25.9.2, with a similar trojanization strategy applied to key application files.
The malicious package displayed persistence beyond its removal, leaving compromised crypto wallets operational and continuing to redirect funds to the attackers.
This demonstrates the attack’s resilience and underscores the gravity of such software supply chain intrusions.
The sophistication of this campaign exemplifies how threat actors evolve to avoid detection.
The malicious payload was obfuscated using JavaScript techniques, raising initial suspicion but complicating immediate analysis.
RL’s Spectra Assure platform, powered by machine learning algorithms, flagged behavioral patterns consistent with prior npm-based malware campaigns.
The activity was classified under Threat Hunting policy TH15502, highlighting its alignment with known software supply chain attack indicators.
Further analysis revealed additional malicious behavior. The attackers, in an apparent effort to cover their tracks, compressed and exfiltrated files from the AnyDesk remote access tool’s directory via a command-and-control endpoint.
This activity suggests a dual-purpose intent: both stealing cryptocurrency funds and collecting sensitive forensic data for potential long-term exploitation.
Wider Implications for the Software Supply Chain
This attack is part of a growing trend targeting cryptocurrency ecosystems, where threat actors exploit trust in OSS repositories to infiltrate critical systems.
RL’s 2025 Software Supply Chain Security Report emphasizes that such risks are expanding across industries, with cryptocurrency platforms particularly vulnerable due to their high-value data and financial transactions.
The attackers’ reliance on locally deployed software highlights the need for continuous monitoring of trusted applications and careful scrutiny of third-party software dependencies.
The increasing frequency of attacks using stealthy patching techniques signals a critical need for enhanced security protocols within the software development lifecycle.
Organizations and developers must adopt robust measures, including advanced threat detection tools and strict validation of third-party packages, to defend against such attacks.
Regular audits of installed software and immediate action on flagged vulnerabilities are essential to prevent adversaries from exploiting trusted systems.
This incident is a stark reminder of the evolving nature of software supply chain risks.
It reinforces the urgency for end-users, OSS contributors, and security teams to collaborate in addressing vulnerabilities before they escalate into widespread breaches.
For those in the cryptocurrency domain, ensuring the integrity of Web3 wallets and infrastructure remains paramount in maintaining trust and security.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
