Cybersecurity researchers have recently uncovered a malicious npm package known as nodejs-smtp that has stealthy features allowing it to inject harmful code into cryptocurrency wallet applications such as Atomic and Exodus, specifically on Windows systems. This package masquerades as the legitimate email library nodemailer, complete with identical page styling and descriptions to deceive users. Since its upload in April 2025 by a user named "nikotimon," it has been downloaded 347 times before being removed from the npm registry.
Upon import, the malicious package utilizes Electron tooling to manipulate the Atomic Wallet’s app.asar file, replacing essential components with its own malicious payload. This operation is conducted discreetly by deleting its working directory post-manipulation, thereby covering its tracks.
The primary function of this malicious package is to redirect cryptocurrency transactions. It accomplishes this by overwriting the recipient address with hard-coded wallets owned by the attacker. This includes redirection of Bitcoin, Ethereum, Tether, XRP, and Solana transactions, effectively acting as a cryptocurrency clipper.
Interestingly, the package maintains its functionality as an SMTP-based mailer to avoid arousing the suspicions of developers. Its design conforms with the nodemailer’s interface, ensuring that application tests pass seamlessly, giving developers no reason to second-guess using the dependency.
This discovery echoes a prior incident where ReversingLabs found another malicious npm package named "pdf-to-office" that aimed to achieve similar objectives by altering the app.asar files associated with the same wallet applications.
This campaign exemplifies how a routine import operation on a developer’s workstation can surreptitiously modify an unrelated desktop application, maintaining persistence across system reboots. By exploiting import time execution and Electron packaging, a decoy mailer morphs into a wallet drainer, targeting users operating compromised Windows systems.
Welcome to DediRock, your trusted partner in high-performance hosting solutions. At DediRock, we specialize in providing dedicated servers, VPS hosting, and cloud services tailored to meet the unique needs of businesses and individuals alike. Our mission is to deliver reliable, scalable, and secure hosting solutions that empower our clients to achieve their digital goals. With a commitment to exceptional customer support, cutting-edge technology, and robust infrastructure, DediRock stands out as a leader in the hosting industry. Join us and experience the difference that dedicated service and unwavering reliability can make for your online presence. Launch our website.