Wallets Being Robbed of ETH, XRP, and SOL by Sneaky Crypto Malware

Cybersecurity experts have revealed significant information about a malware campaign that focuses on Ethereum, XRP, and Solana users.

The assault primarily affects Atomic and Exodus wallet users through compromised node package manager (NPM) packages.

This nefarious campaign redirects transactions to addresses controlled by attackers, all without the wallet owner’s awareness.

The attack starts when developers inadvertently install trojanized npm packages within their projects. Researchers have identified a package named “pdf-to-office” that appears to be legitimate but harbors concealed malicious code.

After installation, the package scans the user’s system for cryptocurrency wallets and injects harmful code designed to intercept transactions.

‘Escalation in targeting’

According to researchers, “This latest campaign marks an escalation in the persistent targeting of cryptocurrency users via software supply chain attacks.”

The malware is capable of manipulating transactions across various cryptocurrencies, including Ethereum (ETH), Tron-based USDT, XRP (XRP), and Solana (SOL).

ReversingLabs discovered the campaign through a detailed analysis of suspicious npm packages, uncovering multiple signs of malicious activities, such as dubious URL connections and code patterns that matched known threats. Their technical investigation indicates a multi-stage attack utilizing advanced obfuscation methods to avoid detection.

The infection process initiates when the malicious package executes its payload aimed at wallet software installed on the host system. The code specifically targets application files located in designated paths.

Once the files are identified, the malware extracts the application archive. This procedure is carried out through code that generates temporary directories, extracts application files, injects malicious code, and subsequently repacks everything to masquerade as normal.

The malware alters transaction handling code to substitute legitimate wallet addresses with those controlled by the attacker, employing base64 encoding.

For instance, when a user tries to send ETH, the code replaces the intended recipient address with an address belonging to the attacker, decoded from a base64 string.

This malware’s consequences can be devastating, as transactions appear to be processed normally in the wallet interface while actually rerouting funds to the attackers.

Users remain unaware of the compromise until they verify the blockchain transaction, discovering that their funds have been sent to an unexpected address.