In what is thought to be a more sneaky attempt to launch a software supply chain attack, threat actors are still uploading destructive packages to the npm registry in an effort to tamper with already-installed localized versions of genuine libraries and write malicious code.
The newly discovered deal, known as , manifests as a program for converting PDF files to Microsoft Word files. In fact, it has the ability to inject malicious code into crypto pocket software like Atomic Wallet and Exodus.
ReversingLabs scientist Lucija Valenti stated in a statement shared with The Hacker News that” a victim who attempted to send crypto funds to another crypto wallet would essentially have the intended wallet destination address swapped out for one belonging to the malignant actor.”
The node deal in issue was initially released on March 24, 2025, and it has since received three updates, but it is likely that the authors themselves have already removed the earlier versions. The most recent variation, 1.1.2, was uploaded on April 8 and is still accessible for download. The offer has been installed so far.
The publication comes just weeks after the program provide string security firm found two npm packages called that were created to harm directly installed packages and create a reverse shell to link to the threat actor’s server using SSH.
This strategy allows the malware to remain on developer systems even after the destructive package has been removed, which makes it a compelling choice for threat actors.
An examination of pdf-to-office has revealed that the malicious code embedded within the deal checks for the presence of the “atomic/resources/app.” Installing Atomic Wallet on a Windows computer requires the” AppData/Local/Programs” folder to be sure it is installed in the” AppData/Local/Programs” folder, and if so, introduce the .
According to Valenti, “if the library was present, the malicious code would replace one of its files with a new trojanized type that had the same features as the genuine record, but switched the cheerful bitcoin address where funds would be sent with the address of a Base64-encoded Web3 wallet belonging to the threat actor.”
Similar to how the payload is constructed, the cargo is also intended to trojanize the report” src/app/ui/index.” the Exodus pocket in ruby format.
To prevent the correct JavaScript files from being overwritten, the attacks are directed at two distinct versions of both Atomic Wallet ( 2.9.1.5 and 2.9.2 ) and Exodus ( 2.9.3.3 and 25.9.2 ).
The Web3 pockets ‘ program would be compromised and proceed to channel bitcoin funds to the attackers ‘ wallet, according to Valenti.” If, by accident, the deal pdf-to-office was removed from the computer. The only way to totally eliminate harmful trojanized data from the Web3 cards ‘ program would be to fully remove them from the computer and re-install them.
The disclosure comes as ExtensionTotal extensive 10 harmful Visual Studio Code extensions that allegedly install an XMRig cryptominer and cautiously get a PowerShell script that disables Windows protection, establishes persistence through scheduled tasks, and installs an XMRig cryptominer.
The extensions were installed over a million times before being removed. The extensions ‘ names are listed below.
- Prettier — By prettier, code for VSCode.
- Discord Rich Presence for VS Code ( by Mark H. )
- Evaera — Roblox Studio Sync
- Solidity Compiler ( developed by VSCode Developer ):
- Claude AI ( by Mark H)
- Golang Compiler ( written by Mark H):
- Mark H.’s ChatGPT Agent for VSCode
- Mark H’s HTML Obfuscator
- Mark H.’s Python Obfuscator for VSCode
- Mark H’s Rust Compiler for VSCode
The attackers carried out a sophisticated multi-stage attack, including installing the legitimate extensions they impersonated to defame themselves so as not to raise suspicion while running cryptocurrency in the background, according to ExtensionTotal.