Hijacking wallets with malicious patches. [Research Saturday]

CyberWire Daily

N2K Networks, Inc.

Daily News, Tech News, News, Technology

4.6 • 1K Ratings

🗓️ 10 May 2025

⏱️ 17 minutes

🔗️ Recording | iTunes | RSS

🧾️ Download transcript

Summary

This week, we are joined by Lucija Valentić, Software Threat Researcher from ReversingLabs, who is discussing "Atomic and Exodus crypto wallets targeted in malicious npm campaign." Threat actors have launched a malicious npm campaign targeting Atomic and Exodus crypto wallets by distributing a fake package called "pdf-to-office," which secretly patches locally installed wallet software to redirect crypto transfers to attacker-controlled addresses. ReversingLabs researchers discovered that this package used obfuscated JavaScript to trojanize specific files in targeted wallet versions, enabling persistence even after the malicious package was removed. This incident highlights the growing threat of software supply chain attacks in the cryptocurrency space and underscores the need for vigilant monitoring of both open-source repositories and local applications. The research can be found here: ⁠⁠Atomic and Exodus crypto wallets targeted in malicious npm campaign Learn more about your ad choices. Visit megaphone.fm/adchoices

Transcript

Click on a timestamp to play from that location

0:00.0	You're listening to the Cyberwire Network, powered by N2K.
0:10.2	What's the common denominator in security incidents?
0:16.4	Escalations and lateral movement.
0:18.9	When a privileged account is compromised, attackers can seize control of
0:22.9	critical assets. With bad directory hygiene and years of technical debt, identity attack paths are
0:29.6	easy targets for threat actors to exploit, but hard for defenders to detect. This poses risk
0:35.6	in active directory, intra- ID, and hybrid configurations.
0:40.1	Identity leaders are reducing such risks with attack path management.
0:44.7	You can learn how attack path management is connecting identity and security teams
0:49.1	while reducing risk with Bloodhound Enterprise, powered by SpectorOps.
0:54.8	Head to SpectorOps.io today to learn more.
0:58.9	SpectorOps, see your attack paths the way adversaries do.
1:26.3	Thank you. This malicious NPM package puts malicious payload inside other locally installed software, atomic wallet and exodus in this case.
1:30.3	So malicious payload is still there. That means once you find out that that package is maybe malicious,
1:35.3	you remove it, but the malicious payload would stay still in Atomic Wallet software
1:42.3	and an Exododus wallet software.
1:44.9	So you would still be left with malicious payload,
1:48.2	even if you delete malicious NPM package.
2:00.7	That's Lucia Valentia Valentinic, software threat researcher from reversing labs.
2:05.4	The research we're discussing today is titled Atomic and Exodus crypto wallets targeted in malicious NPM campaign.
2:26.5	Thank you. In the last couple of months on NPM, there are a lot of packages that are malicious NPM that are targeting crypto community.
2:30.5	So we are paying close attention to those kind of packages.
	...

Please login to see the full transcript.

Previous episode | Next episode

Disclaimer: The podcast and artwork embedded on this page are from N2K Networks, Inc., and are the property of its owner and not affiliated with or endorsed by Tapesearch.

Generated transcripts are the property of N2K Networks, Inc. and are distributed freely under the Fair Use doctrine. Transcripts generated by Tapesearch are not guaranteed to be accurate.