Cybersecurity researchers have discovered a malicious npm package that comes with stealthy features to inject malicious code into desktop apps for cryptocurrency wallets like Atomic and Exodus on Windows systems.
The package, named nodejs-smtp, impersonates the legitimate email library nodemailer with an identical tagline, page styling, and README descriptions, attracting a total of 347 downloads since it was uploaded to the npm registry in April 2025 by a user named “nikotimon.” It’s currently no longer available.
“On import, the package uses Electron tooling to unpack Atomic Wallet’s app.asar, replace a vendor bundle with a malicious payload, repackage the application, and remove traces by deleting its working directory,” Socket researcher Kirill Boychenko said.
The main objective is to overwrite the recipient address with hard-coded wallets controlled by the threat actor, redirecting Bitcoin (BTC), Ethereum (ETH), Tether (USDT and TRX USDT), XRP (XRP), and Solana (SOL) transactions, effectively acting as a cryptocurrency clipper.
That having said, the package delivers on its stated functionality by acting as an SMTP-based mailer in an attempt to avoid raising developers’ suspicion.
The package still works as a mailer and exposes a drop-in interface compatible with nodemailer. That functional cover lowers suspicion, allows application tests to pass, and gives developers little reason to question the dependency.
The development comes months after ReversingLabs discovered an npm package named “pdf-to-office” that achieved the same goals by unpacking the “app.asar” archives associated with Atomic and Exodus wallets and modifying within them a JavaScript file to introduce the clipper function.
“This campaign shows how a routine import on a developer workstation can quietly modify a separate desktop application and persist across reboots,” Boychenko said. “By abusing import time execution and Electron packaging, a lookalike mailer becomes a wallet drainer that alters Atomic and Exodus on compromised Windows systems.”
Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.
The Hacker News
