The attack unfolds when unsuspecting developers integrate malicious npm packages—such as the seemingly harmless pdf-to-office—into their projects. Once installed, these packages quietly scan the victim’s system for installed wallets and inject malicious code designed to reroute cryptocurrency transactions to attacker-controlled wallets.
This malware uses obfuscation techniques and executes a multi-stage process: it locates and unpacks key files in wallet apps (like .asar files used in Electron apps), injects rogue JavaScript code, and then repacks them—making the attack difficult to detect. By altering wallet software, the malware swaps out the real recipient address with a base64-encoded address belonging to the attackers.
Victims may unknowingly send funds across multiple cryptocurrencies—Ethereum, XRP, Solana, or USDT on Tron—directly to cybercriminals. Once compromised, the malware communicates back to a command-and-control server, reporting details like system path and confirming successful infection.
Researchers at ReversingLabs identified the malicious behavior by analyzing network requests, encoded payloads, and code patterns. The findings highlight an ongoing escalation of software supply chain attacks, especially targeting the crypto ecosystem.
Source: Cyber Security News
To mitigate potential threats, it is important to implement additional cybersecurity measures with the help of a trusted partner like INFRA www.infrascan.net or you can try yourself using check.website.