Cyber safety researchers have discovered a malicious NPM package that comes with stealthy features to injure malicious code in the desktop app for cryptocurrency wallets such as atoms and migration on the Windows system.
The package, named Nodejs-SMTP, replicates a valid email library nodeller with a uniform tagline, page styling, and readme details, attracts a total of 347 downloads as it was uploaded by a user called “Nicotimon” in the NPM Registry in April 2025. It is not currently available.
“On imports, the package uses electron tooling to unpack the atomic wallet app. Asar, a seller replaces the bundle with a malicious payload, removes the application again, and removes its functioning directory and removes the mark,” said the socket researchers Kiril Boychenca.
The main objective is to undergo the address of the recipient with a hard-coded wallet controlled by the actor with danger, Bitcoin (BTC), Etharium (Eth), Tether (USDT and TRX USDT), XRP (XRP), and Solana (Sol) transactions, effectively working as a Cryptocurrency Clipper.
It has been said, the package distributes the developers to avoid increasing the suspicion of the developers and works as an SMTP-based measure and distributes it on its declared functionality.
The package still acts as a meller and exposes the compatible drop-in interface with the nodeller. This functional cover reduces doubt, allows the application tests to pass, and gives the developers very little reason to question the dependence.
This growth comes after months when Reverslabs discovered an NPM package called “PDF-to-Office”, which achieved the same target by renovating the “APPASAR” archives associated with the nuclear and migration wallet and symbolizing a Jawakript file to introduce a clipper function.
“This campaign shows how a regular import on a developer workstation can quietly modify a separate desktop application and remain in the reboot,” Boychenko said. “By misusing the import time execution and electron packaging, a look -waller becomes a wallet drener that replaces the atom and migration on the compromised Windows system.”
