Threat actors are using open-source software (OSS) repositories to install malicious code into trusted applications, particularly targeting cryptocurrency software.
The ReversingLabs (RL) research team has identified a pattern where attackers upload seemingly legitimate packages to repositories like npm, which then inject malicious “patches” into users’ local installations of crypto wallet software.
Hijacking Open Source Packages
The latest scheme involved a package named “pdf-to-office,” promoted as a utility for converting PDF files to Microsoft Office formats.
.png
)
This package, however, was a trojan horse, with its primary function being to modify legitimate software.
Upon execution, it specifically targeted Atomic Wallet and Exodus Wallet, overwriting key files with trojanized versions to redirect cryptocurrency transactions to attackers’ wallets.
The attackers have adapted their strategies to evade detection. Following RL’s report on a similar campaign in December involving the Python AI library Ultralytics, which was quickly noticed and mitigated, the threat actors developed subtler approaches.
The compromised packages now attempt to blend in with regular updates, making detection and response more challenging.
Specific Targets and Techniques
The malicious code in “pdf-to-office” was tailored to interact with particular versions of the Atomic Wallet, demonstrating a nuanced understanding of the software’s architecture.
The attackers modified the attack strategy for different versions, ensuring the code could adapt to changes in file structure between Atomic Wallet versions 2.90.6 and 2.91.5.
This meticulous targeting indicates a significant level of reconnaissance and preparation by the threat actors.
Additionally, the campaign not only aimed to steal funds but also engaged in covering tracks.
The attackers collected logs from AnyDesk, a remote access tool, suggesting efforts to either gather more information or eliminate evidence of their intrusion.
The persistence of these attacks even after removal of the malicious package poses a severe security risk.
Unless the compromised wallet applications are completely uninstalled and reinstalled, the malicious code remains active, continuously siphoning funds to the attackers’ wallets.
This trend of attacking software supply chains, particularly in the cryptocurrency sector, underscores a growing threat landscape.
RL’s 2025 Software Supply Chain Security Report highlights the expanding scope of these risks, emphasizing the need for enhanced monitoring of software updates and local deployments.
Organizations must now remain vigilant not only for external threats but also for subtle modifications in software they already trust.
The Indicators of Compromise (IOCs) provided by RL, including SHA1 hashes and IP addresses linked to the campaign, are crucial for cybersecurity teams to detect and mitigate these advanced persistent threats.
This incident serves as a stark reminder of the evolving strategies in cybercrime, calling for immediate attention to security practices within the cryptocurrency community and beyond.
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
