Crypto Wallet Users Warned: Malware Targets Atomic and Exodus via NPM Libraries

Cybercriminals are exploiting open-source repositories to launch malware attacks on Atomic and Exodus wallet users, with a focus on stealing private keys and draining funds. ReversingLabs, a cybersecurity firm, has identified a sophisticated campaign that injects malicious code into popular Node Package Manager (NPM) libraries disguised as tools like PDF-to-Office converters.

Once installed, the malware executes in multiple stages. It scans infected devices for crypto wallets, then deploys a clipboard hijacker that silently changes wallet addresses during transactions, diverting crypto assets to the attacker’s wallets. Even after deleting the deceptive package, remnants of the malware can persist, making complete removal difficult without reinstalling wallets from verified sources.

The malware also gathers system data and monitors the success rate of its infiltration, allowing hackers to refine future attacks. ReversingLabs emphasizes that this method of software supply chain attack poses a growing threat across industries, not just crypto. Developers and users are advised to verify software sources and enhance monitoring for suspicious activity.

In a related development, Kaspersky reported a similar campaign on SourceForge involving fake Microsoft Office installers embedded with crypto-targeting malware, including clipboard hijackers and miners. These attacks exploit the trust users place in open-source and popular software platforms.

The growing trend of open-source abuse signals the need for stricter cybersecurity measures within the Web3 ecosystem. According to DeFiLlama, over $1.5 billion in crypto assets were lost to hacks in Q1 2025 alone, including a $1.4 billion breach at Bybit in February.

As attackers evolve their methods, crypto holders and developers must remain vigilant, employ trusted security tools, and avoid downloading software from unverified or unfamiliar sources.