Menace actors are persevering with to add malicious packages to the npm registry in order to tamper with already-installed native variations of authentic libraries and execute malicious code in what’s seen as a sneakier try and stage a software program provide chain assault.
The newly found package deal, named pdf-to-office, masquerades as a utility for changing PDF recordsdata to Microsoft Phrase paperwork. However, in actuality, it harbors options to inject malicious code into cryptocurrency pockets software program related to Atomic Pockets and Exodus.
“Successfully, a sufferer who tried to ship crypto funds to a different crypto pockets would have the supposed pockets vacation spot tackle swapped out for one belonging to the malicious actor,” ReversingLabs researcher Lucija Valentić mentioned in a report shared with The Hacker Information.
The npm package deal in query was first printed on March 24, 2025, and has acquired three updates since then however not earlier than the earlier variations had been seemingly eliminated by the authors themselves. The most recent model, 1.1.2, was uploaded on April 8 and stays obtainable for obtain. The package deal has been downloaded 334 occasions up to now.
The disclosure comes merely weeks after the software program provide chain safety agency uncovered two npm packages named ethers-provider2 and ethers-providerz that had been engineered to contaminate domestically put in packages and set up a reverse shell to hook up with the menace actor’s server over SSH.
What makes this strategy a pretty choice for menace actors is that it permits the malware to persist on developer techniques even after the malicious package deal is eliminated.
An evaluation of pdf-to-office has revealed that the malicious code embedded inside the package deal checks for the presence of the “atomic/sources/app.asar” archive contained in the “AppData/Native/Applications” folder to establish that Atomic Pockets is put in on the Home windows pc, and if that’s the case, introduce the clipper performance.
“If the archive was current, the malicious code would overwrite one in all its recordsdata with a brand new trojanized model that had the identical performance because the authentic file, however switched the outgoing crypto tackle the place funds could be despatched with the tackle of a Base64-encoded Web3 pockets belonging to the menace actor,” Valentić mentioned.
In the same vein, the payload can also be designed to trojanize the file “src/app/ui/index.js” related to the Exodus pockets.
However in an fascinating twist, the assaults are aimed toward two particular variations every of each Atomic Pockets (2.91.5 and a pair of.90.6) and Exodus (25.13.3 and 25.9.2) in order to make sure that the proper JavaScript recordsdata are overwritten.
“If, by probability, the package deal pdf-to-office was faraway from the pc, the Web3 wallets’ software program would stay compromised and proceed to channel crypto funds to the attackers’ pockets,” Valentić mentioned. “The one approach to utterly take away the malicious trojanized recordsdata from the Web3 wallets’ software program could be to take away them utterly from the pc, and re-install them.”
The disclosure comes as ExtensionTotal detailed 10 malicious Visible Studio Code extensions that stealthily obtain a PowerShell script that disables Home windows safety, establishes persistence via scheduled duties, and installs an XMRig cryptominer.
The extensions had been collectively put in over one million occasions earlier than they had been taken down. The names of the extensions are beneath –
- Prettier — Code for VSCode (by prettier)
- Discord Wealthy Presence for VS Code (by Mark H)
- Rojo — Roblox Studio Sync (by evaera)
- Solidity Compiler (by VSCode Developer)
- Claude AI (by Mark H)
- Golang Compiler (by Mark H)
- ChatGPT Agent for VSCode (by Mark H)
- HTML Obfuscator (by Mark H)
- Python Obfuscator for VSCode (by Mark H)
- Rust Compiler for VSCode (by Mark H)
“The attackers created a classy multi-stage assault, even putting in the authentic extensions they impersonated to keep away from elevating suspicion whereas mining cryptocurrency within the background,” ExtensionTotal mentioned.
