Cybersecurity researchers have uncovered a malicious software campaign targeting cryptocurrency users, specifically those holding Ethereum (ETH), XRP, and Solana (SOL). The attack is being delivered via a trojanized Node Package Manager (NPM) package, allowing the malware to infiltrate developers’ systems and silently divert funds from popular crypto wallets.
How the Attack Works
According to researchers, the attack begins when unsuspecting developers install a compromised NPM package, most notably one titled “pdf-to-office”, which appears legitimate but contains hidden malicious code. Once installed, the malware scans the system for installed crypto wallets—especially Atomic and Exodus—and injects code to intercept outgoing transactions.
The affected wallets then unknowingly redirect crypto transfers to hacker-controlled addresses, resulting in the silent siphoning of funds.
Widening Scope of Crypto Malware
This latest incident has been described by experts as a major escalation in software supply chain threats aimed specifically at the cryptocurrency space. Once deployed, the malware is capable of targeting multiple blockchain networks, including Ethereum, Solana, XRP, and Tron-based USDT.
The campaign was detected and documented by ReversingLabs, which noted several indicators of compromise and warned that similar attacks could become more prevalent as crypto adoption among developers increases.
Implications for Users and Developers
This incident underscores the growing vulnerability of decentralized finance infrastructure to supply chain threats. Developers are urged to verify the integrity of NPM packages before use, and end users should ensure they use wallets with enhanced security protocols and stay vigilant for abnormal transaction behavior.
As decentralized applications become more mainstream, the line between traditional software development and crypto security continues to blur, leaving both dev teams and end users increasingly exposed.
