InfoSunrise – Daily Insights Across Tech, Travel, Lifestyle & More

Latest News, Trends & Expert Picks in One Place

Tech

Malicious npm Package nodejs-smtp Mimics Nodemailer, Targets Atomic and Exodus Wallets

Byadmin

Sep 2, 2025 #5G technology, #AI technology, #artificial intelligence, #augmented reality, #best laptops, #best tech apps, #blockchain, #cloud computing, #cryptocurrency, #cybersecurity, #digital transformation, #emerging tech, #future technology, #iOS vs Android, #latest inventions, #latest tech news, #machine learning, #new gadgets, #robotics, #smart home devices, #smartphones, #software updates, #tech, #tech comparisons, #tech industry news, #tech innovations, #tech reviews, #tech startups, #tech tips and tricks, #tech trends, #tech tutorials, #technology, #top tech of 2025, #virtual reality, #wearable tech

Sep 02, 2025Ravie LakshmananCryptocurrency / Malware

Cybersecurity researchers have discovered a malicious npm package that comes with stealthy features to inject malicious code into desktop apps for cryptocurrency wallets like Atomic and Exodus on Windows systems.

The package, named nodejs-smtp[1], impersonates the legitimate email library nodemailer[2] with an identical tagline, page styling, and README descriptions, attracting a total of 347 downloads[3] since it was uploaded[4] to the npm registry in April 2025 by a user named “nikotimon.” It’s currently no longer available.

“On import, the package uses Electron tooling to unpack Atomic Wallet’s app.asar, replace a vendor bundle with a malicious payload, repackage the application, and remove traces by deleting its working directory,” Socket researcher Kirill Boychenko said[5].

Audit and Beyond

The main objective is to overwrite the recipient address with hard-coded wallets controlled by the threat actor, redirecting Bitcoin (BTC), Ethereum (ETH), Tether (USDT and TRX USDT), XRP (XRP), and Solana (SOL) transactions, effectively acting as a cryptocurrency clipper.

That having said, the package delivers on its stated functionality by acting as an SMTP-based mailer in an attempt to avoid raising developers’ suspicion.

The package still works as a mailer and exposes a drop-in interface compatible with nodemailer. That functional cover lowers suspicion, allows application tests to pass, and gives developers little reason to question the dependency.

The development comes months after ReversingLabs discovered[6] an npm package named “pdf-to-office” that achieved the same goals by unpacking the “app.asar” archives associated with Atomic and Exodus wallets and modifying within them a JavaScript file to introduce the clipper function.

“This campaign shows how a routine import on a developer workstation can quietly modify a separate desktop application and persist across reboots,” Boychenko said. “By abusing import time execution and Electron packaging, a lookalike mailer becomes a wallet drainer that alters Atomic and Exodus on compromised Windows systems.”

References

  1. ^ nodejs-smtp (www.npmjs.com)
  2. ^ nodemailer (www.npmjs.com)
  3. ^ 347 downloads (npm-stat.com)
  4. ^ uploaded (socket.dev)
  5. ^ said (socket.dev)
  6. ^ discovered (thehackernews.com)

By admin

Related Post

Tech

I’ve finally found an Apple Intelligence feature I can’t live without – and it might convince you to buy an iPhone 17

Sep 2, 2025 admin
Tech

Marshall just announced a new Dolby Atmos soundbar and ‘foundation-shaking’ sub and I’m beyond excited – here’s why

Sep 2, 2025 admin
Tech

Is this real? The Galaxy S25 Edge is on sale for just $699 at Amazon right now

Sep 2, 2025 admin

You missed

World

Over 1,000 dead in Sudan landslide as local group pleads for help

September 2, 2025 admin
World

Belgium to recognise Palestinian state at UN General Assembly

September 2, 2025 admin
World

Danish artist’s a-peeling take on gender sells for $12,869

September 2, 2025 admin
World

Top genocide scholars say Israel is committing genocide in Gaza

September 2, 2025 admin