In response to a growing wave of cyberattacks targeting the cryptocurrency community, threat actors have launched a sophisticated software supply chain aimed at compromising widely used Web3 wallets, including Atomic Wallet and Exodus. According to researchers at ReversingLabs (RL), the malicious campaign centers on the npm package manager, a popular platform for JavaScript and Node.js developers. Attackers are installing a deceptive package called pdf-to-office, which is falsely promoted as a utility for converting PDF files to Microsoft Office formats. Instead, the package carries malicious code designed to hijack local installations of legitimate crypto wallet software. Once executed, the pdf-to-office suite silently injects malicious patches into locally installed versions of Atomic Wallet and Exodus. These patches replace the legitimate code with a modified version that allows attackers to intercept and redirect cryptocurrency transactions. In practice, users attempting to send funds would find that their transactions were being redirected to a wallet controlled by the attackers, with no visible signs of tampering. Related News: Will the Justice Department's "Stop Cryptocurrency Operations" Order Benefit Terra (LUNA) Case and Do Kwon? Prosecutors Made a Statement The attack exploited a subtle and increasingly popular technique: Instead of directly hijacking upstream open-source packages, malicious actors now inject malicious code into local environments by patching legitimate software already installed on the victim's system. The pdf-to-office package first appeared on npm in March 2025 and has had multiple versions released in succession. The latest version, 1.1.2, was released on April 1. RL researchers detected the package using machine learning-driven behavioral analysis on the Spectra Assure platform. The code was found to contain obfuscated JavaScript, a common red flag in recent npm malware campaigns. Notably, the effects persisted even after the malicious package was deleted. Once the Web3 wallets were patched, simply removing the fake npm package did not eliminate the threat. Victims had to completely uninstall and reinstall their wallet application to remove the trojan components and restore wallet integrity. *This is not investment advice. Continue Reading: New Trojan Alert Affecting Cryptocurrency Users – Don’t Download the File With This Name!
