Cybersecurity researchers have recently identified a malicious npm package named ‘nodejs-smtp’ that poses as the legitimate ‘nodemailer’ library. This deceptive package is designed to infiltrate desktop applications of cryptocurrency wallets, specifically targeting Atomic and Exodus wallets on Windows systems.
Deceptive Appearance and Distribution
The ‘nodejs-smtp’ package closely mimics ‘nodemailer’ by replicating its tagline, page styling, and README descriptions. This imitation has led to 347 downloads since its upload to the npm registry in April 2025 by a user named nikotimon. The package has since been removed from the registry.
Technical Mechanism of the Attack
Upon import, ‘nodejs-smtp’ utilizes Electron tooling to unpack the ‘app.asar’ file of Atomic Wallet. It then replaces a vendor bundle with a malicious payload, repackages the application, and deletes its working directory to eliminate traces of the intrusion. This process effectively injects malicious code into the wallet application.
Objective: Cryptocurrency Theft
The primary goal of this malicious package is to alter transaction recipient addresses within the wallet applications. By substituting these addresses with those controlled by the attacker, the package redirects transactions involving Bitcoin (BTC), Ethereum (ETH), Tether (USDT and TRX USDT), XRP (XRP), and Solana (SOL) to the attacker’s wallets. This method classifies the package as a cryptocurrency clipper.
Maintaining Functionality to Avoid Detection
Despite its malicious intent, ‘nodejs-smtp’ retains the functionality of an SMTP-based mailer, compatible with ‘nodemailer.’ This operational facade reduces suspicion among developers, allowing application tests to pass and providing little reason to question the dependency.
Context: Previous Similar Attacks
This incident follows a similar case where an npm package named ‘pdf-to-office’ was discovered to unpack ‘app.asar’ archives of Atomic and Exodus wallets. It modified JavaScript files within them to introduce a clipper function, achieving comparable malicious objectives.
Implications for Developers and Users
This campaign underscores how a routine import on a developer’s workstation can surreptitiously modify a separate desktop application and persist across reboots. By exploiting import-time execution and Electron packaging, a seemingly benign mailer transforms into a wallet drainer, compromising Atomic and Exodus wallets on affected Windows systems.
Recommendations for Mitigation
To protect against such threats, developers and users should:
– Verify Package Authenticity: Always confirm the legitimacy of npm packages before installation.
– Monitor Dependencies: Regularly review and monitor project dependencies for any unauthorized changes.
– Implement Security Tools: Utilize security tools that can detect and alert on suspicious package behaviors.
– Stay Informed: Keep abreast of the latest cybersecurity threats and advisories related to software supply chains.
Conclusion
The discovery of ‘nodejs-smtp’ highlights the evolving tactics of cyber attackers in targeting cryptocurrency assets through software supply chains. Vigilance and proactive security measures are essential to safeguard against such sophisticated threats.
