FlagThis - #web3

ReversingLabs has identified a malicious npm package named "pdf-to-office" that targeted cryptocurrency users by injecting malicious code into locally installed Atomic Wallet and Exodus software. The package, posing as a utility for converting PDF files to Microsoft Office documents, actually overwrites existing, legitimate files within the crypto wallet installations. This allowed attackers to silently hijack crypto transfers by swapping out the intended destination address with one belonging to the malicious actor. The ReversingLabs team continues to track threat actors using a variety of techniques to hijack popular crypto packages.

This attack vector involved the malicious patching of local software, a technique that allows attackers to intercept cryptocurrency transfers without raising immediate suspicion. The "pdf-to-office" package targeted specific versions of both Atomic Wallet (2.91.5 and 2.90.6) and Exodus (25.13.3 and 25.9.2), ensuring that the correct Javascript files were overwritten. Once executed, the malicious code would check for the presence of the "atomic/resources/app.asar" archive for Atomic Wallet and "src/app/ui/index.js" for Exodus.

The compromised wallets would then channel crypto funds to the attacker's address, even if the "pdf-to-office" package was subsequently removed from the system. ReversingLabs' Spectra Assure platform flagged the package as suspicious due to its behaviors mirroring previous npm-based malware campaigns. The initial release was on March 24, 2025, before being removed. The latest version, 1.1.2, was uploaded on April 8 and remains available for download.


References :

• hackread.com: ReversingLabs reveals a malicious npm package targeting Atomic and Exodus wallets, silently hijacking crypto transfers via software patching.
• Blog (Main): Threat actors have been targeting the cryptocurrency community hard lately.
• secure.software: Atomic and Exodus crypto wallets targeted in malicious npm campaign
• The Hacker News: Threat actors are continuing to upload malicious packages to the npm registry so as to tamper with already-installed local versions of legitimate libraries and execute malicious code in what's seen as a sneakier attempt to stage a software supply chain attack.
• www.scworld.com: Atomic, Exodus wallets subjected to malicious npm package attack Attackers have been looking to compromise users of the Atomic and Exodus cryptocurrency wallets through the new pdf-to-office npm package spoofing a PDF to Microsoft Word document converter, The Hacker News reports.
• gbhackers.com: Threat Actors Exploit Legitimate Crypto Packages to Deliver Malicious Code
• gbhackers.com: Threat actors exploit legitimate crypto packages to deliver malicious code
• hackread.com: npm Malware Targets Atomic and Exodus Wallets to Hijack Crypto Transfers

Classification:

• HashTags: #CryptoScam #SupplyChainAttack #Web3
• Company: ReversingLabs
• Target: Crypto Wallets
• Product: npm
• Feature: Malicious Package Injection
• Malware: pdf-to-office
• Type: Malware
• Severity: Major