FOCUS MODE
EXTRACT IOC
MINDMAP
Threat Research

Atomic and Exodus crypto wallets targeted in malicious npm campaign

Reversinglabs
Atomic and Exodus crypto wallets targeted in malicious npm campaign
The cryptocurrency community is under increasing attack from threat actors using malicious packages to compromise legitimate software. A recent campaign involved the pdf-to-office package, which was designed to inject malicious code into crypto wallets like Atomic Wallet and Exodus, enabling attackers to redirect funds to their own addresses. The growing sophistication of these attacks highlights significant risks in the software supply chain, particularly for cryptocurrency applications. Affected: cryptocurrency community, software supply chain

Keypoints :

  • Threat actors are targeting the cryptocurrency community using compromised software packages.
  • The pdf-to-office package was used to inject malicious code into crypto wallet software.
  • Atomic Wallet and Exodus were specifically targeted, allowing attackers to redirect funds.
  • Malicious packages are becoming harder to detect due to their stealthy update mechanisms.
  • Software supply chain risks are escalating, particularly in the cryptocurrency sector.
  • Threat actors are modifying their techniques to avoid detection for extended periods.

MITRE Techniques :

  • TA0057: Supply Chain Compromise – Threat actors injected malicious code into legitimate software packages.
  • TA0040: Impact – The campaign intended to redirect cryptocurrency transactions from victims to attackers’ wallets.
  • TA0091: Resource Hijacking – Malicious packages utilized local versions of trusted libraries to execute their payload.

Indicator of Compromise :

  • [Package Name] pdf-to-office (version: 1.0.0) SHA1: 92ae8c8317da6dd1660c3decb55be74b1a41f3df
  • [Package Name] pdf-to-office (version: 1.0.1) SHA1: 7172583d31d7b79737b21b0d6f76cf179c60f728
  • [Package Name] pdf-to-office (version: 1.0.2) SHA1: e8ad87a866b6677ef96de30bd93a455ce7247ffc
  • [Package Name] pdf-to-office (version: 1.1.2) SHA1: 59384e801dcf0299e0e704434c00b0da65550c01
  • [IP Address] 178.156.149.109 (associated with malicious callbacks)

Full Story: https://www.reversinglabs.com/blog/atomic-and-exodus-crypto-wallets-targeted-in-malicious-npm-campaign

Views: 21

Tags: HUNTING, DISCOVERY, IMPACT, MONITOR, PATCH, PAYLOAD, CRYPTO, PERSISTENCE