The security of the open-source software ecosystem has been challenged once again by the discovery of a malicious npm package, “nodejs-smtp,” crafted to steal cryptocurrency. Researchers are raising alarms over this sophisticated software supply chain attack, where the package was a deliberate counterfeit of “nodemailer,” one of the most popular emailing libraries in the Node.js ecosystem. By using identical documentation and styling, the malicious package successfully duped developers, leading to hundreds of downloads before it was identified and removed from the public registry. This incident highlights a dangerous trend where threat actors exploit the trust developers place in open-source repositories to distribute malware.
The attack allegedly targeted Windows users with Atomic Wallet or Exodus desktop applications installed. Once a developer included the counterfeit package in a project, it would execute a malicious payload upon installation. This payload was designed to locate the wallet’s application files and inject a “clipper” malware. This type of malware works by monitoring the system’s clipboard for cryptocurrency wallet addresses. When a user copies an address to initiate a transaction, the malware stealthily replaces it with an address belonging to the attacker, effectively hijacking the funds. The scheme reportedly supported a wide range of digital currencies, including Bitcoin (), Ethereum (), Solana (), and Tether ().
What made this attack particularly insidious was its dual functionality. While hiding its malicious code, the “nodejs-smtp” package also operated as a fully functional email tool, mirroring the capabilities of the legitimate “nodemailer.” This allowed it to pass routine application tests and avoid raising suspicion among developers, who would have little reason to suspect a dependency that appeared to be working as intended. This layer of deception demonstrates a deep understanding of developer workflows and represents a significant escalation in the complexity of software supply chain threats, as the malicious code could persist in a compromised application long after the offending package was removed.
