Threat actors continue to exploit the npm registry by uploading malicious packages designed to compromise local versions of legitimate libraries and execute harmful code, posing a growing risk to software supply chains.
One such package, pdf-to-office, was recently discovered masquerading as a utility for converting PDFs to Microsoft Word documents. Instead, it was engineered to target popular cryptocurrency wallets. Atomic Wallet and Exodus — by injecting malicious code capable of hijacking transactions.
According to Lucija Valentić, a researcher at ReversingLabs, the malware replaces the recipient’s wallet address with one belonging to the attacker. “A victim trying to send crypto would unknowingly redirect funds to the attacker’s wallet,” Valentić explained in a report shared with The Hacker News.
Timeline and Distribution
- First published: March 24, 2025
- Latest update: April 8, 2025 (v1.1.2)
- Total downloads: 334+
Although previous versions appear to have been deleted by the authors, the latest version remains accessible on npm.
This discovery follows closely on the heels of other malicious npm packages — ethers-provider2 and ethers-providerz — which were designed to infect local packages and establish remote SSH connections, allowing persistent access to compromised developer environments.
How the npm Attack Works
Upon installation, pdf-to-office inspects the system for Atomic Wallet by checking for the archive "atomic/resources/app.asar" in the AppData directory. If found, the malware injects clipper functionality that modifies JavaScript files to swap crypto addresses.
- Targeted Atomic Wallet versions: 2.91.5 and 2.90.6
- Targeted Exodus versions: 25.13.3 and 25.9.2
If successful, the trojanized files persist even if the malicious npm package is removed. The only remediation is a full uninstallation and clean reinstall of the affected wallet software.
Broader Threat Landscape
The incident comes amid another supply chain alert: cybersecurity firm ExtensionTotal reported 10 malicious Visual Studio Code extensions that had been downloaded over 1 million times before being removed. These extensions installed PowerShell scripts to disable Windows security features, maintain persistence, and deploy the XMRig cryptominer.
Malicious VSCode Extensions:
- Prettier — Code for VSCode
- Discord Rich Presence for VS Code
- Rojo — Roblox Studio Sync
- Solidity Compiler
- Claude AI
- Golang Compiler
- ChatGPT Agent for VSCode
- HTML Obfuscator
- Python Obfuscator for VSCode
- Rust Compiler for VSCode
ExtensionTotal noted that attackers even installed the original extensions they were impersonating, helping them evade detection while silently mining cryptocurrency in the background.
