Threat actors are continuing to upload malicious packages to the npm registry so as to tamper with already-installed local versions of legitimate libraries and execute malicious code in what’s seen as a sneakier attempt to stage a software supply chain attack.
The newly discovered package, named pdf-to-office, masquerades as a utility for converting PDF files to Microsoft Word documents. But, in reality, it harbors features to inject malicious code into cryptocurrency wallet software associated with Atomic Wallet and Exodus.
“Effectively, a victim who tried to send crypto funds to another crypto wallet would have the intended wallet destination address swapped out for one belonging to the malicious actor,” ReversingLabs researcher Lucija Valentić said in a report shared with The Hacker News.
The npm package in question was first published on March 24, 2025, and has received three updates since then but not before the previous versions were likely removed by the authors themselves. The latest version, 1.1.2, was uploaded on April 8 and remains available for download. The package has been downloaded 334 times to date.
The disclosure comes merely weeks after the software supply chain security firm uncovered two npm packages named ethers-provider2 and ethers-providerz that were engineered to infect locally installed packages and establish a reverse shell to connect to the threat actor’s server over SSH.
What makes this approach an attractive option for threat actors is that it allows the malware to persist on developer systems even after the malicious package is removed.
An analysis of pdf-to-office has revealed that the malicious code embedded within the package checks for the presence of the “atomic/resources/app.asar” archive inside the “AppData/Local/Programs” folder to ascertain that Atomic Wallet is installed on the Windows computer, and if so, introduce the clipper functionality.
“If the archive was present, the malicious code would overwrite one of its files with a new trojanized version that had the same functionality as the legitimate file, but switched the outgoing crypto address where funds would be sent with the address of a Base64-encoded Web3 wallet belonging to the threat actor,” Valentić said.
In a similar vein, the payload is also designed to trojanize the file “src/app/ui/index.js” associated with the Exodus wallet.
But in an interesting twist, the attacks are aimed at two specific versions each of both Atomic Wallet (2.91.5 and 2.90.6) and Exodus (25.13.3 and 25.9.2) so as to ensure that the correct JavaScript files are overwritten.
“If, by chance, the package pdf-to-office was removed from the computer, the Web3 wallets’ software would remain compromised and continue to channel crypto funds to the attackers’ wallet,” Valentić said. “The only way to completely remove the malicious trojanized files from the Web3 wallets’ software would be to remove them completely from the computer, and re-install them.”
The disclosure comes as ExtensionTotal detailed 10 malicious Visual Studio Code extensions that stealthily download a PowerShell script that disables Windows security, establishes persistence through scheduled tasks, and installs an XMRig cryptominer.
The extensions were collectively installed over a million times before they were taken down. The names of the extensions are below –
- Prettier — Code for VSCode (by prettier)
- Discord Rich Presence for VS Code (by Mark H)
- Rojo — Roblox Studio Sync (by evaera)
- Solidity Compiler (by VSCode Developer)
- Claude AI (by Mark H)
- Golang Compiler (by Mark H)
- ChatGPT Agent for VSCode (by Mark H)
- HTML Obfuscator (by Mark H)
- Python Obfuscator for VSCode (by Mark H)
- Rust Compiler for VSCode (by Mark H)
“The attackers created a sophisticated multi-stage attack, even installing the legitimate extensions they impersonated to avoid raising suspicion while mining cryptocurrency in the background,” ExtensionTotal said.
