Warning: Fake npm Package Hijacks Crypto Wallets
Researchers at Socket have uncovered a malicious npm package named nodejs-smtp, masquerading as the widely used nodemailer library (which averages 3.9 million weekly downloads). In reality, the package serves as a tool for covert manipulation of cryptocurrency wallets and interception of transactions. Upon installation and import, the package alters the structure of the Atomic Wallet desktop client on Windows, injecting malicious JavaScript that silently replaces the recipient’s cryptocurrency address with that of the attacker.
At the time of reporting, the package remains available in the npm registry, though the Socket team has requested its removal and the suspension of the developer account nikotimon.
The attack sequence begins immediately after the module is installed. Upon import, a function named patchAtomic is executed. This function locates the installed Atomic Wallet, extracts the contents of its core archive (app.asar), replaces the vendors.*.js file in the dist/electron directory with the malicious script a.js, then repackages the application while deleting all temporary files and directories to cover its tracks.
The injected code leaves the wallet’s interface intact and does not disrupt its core functionality. However, each time funds are transferred, the destination address is silently replaced with one preconfigured by the attacker. If the token type is not recognized, the malware defaults to inserting the attacker’s Ethereum address.
This means that any developer who installs nodejs-smtp and launches their application automatically triggers the infection. Even if email functionality is never invoked, the wallet modification still occurs. The risk is amplified when the module enters projects through transitive dependencies or is copied from online examples and AI assistants, since the package mirrors nodemailer’s name, description, and API closely enough to deceive even seasoned developers.
To reinforce its disguise, the malicious library actually implements legitimate email client functions compatible with nodemailer’s interface, allowing it to pass tests without raising suspicion. Beyond Atomic Wallet, the module also targets Exodus, with recorded attempts to modify the app.asar archives of both wallets. Once the injection is complete, all temporary directories are deleted, making detection more difficult.
Analysis suggests the campaign was carefully planned, features a scalable architecture, and could be reused across other malicious packages. While activity on the nikotimon account remains low for now, the sophistication of the code and infection techniques indicates a serious threat with potentially severe consequences.
Of particular concern is the growing role of generative AI tools in spreading such threats. Models often “invent” package names that appear credible. For instance, if a developer asks an AI assistant for a library to send email with Node.js, it might recommend the plausible but fraudulent nodejs-smtp name, leading users to install the counterfeit without hesitation.
Socket emphasizes that such attacks are becoming increasingly sophisticated: the malicious code activates upon import, modifies external applications, persists across reboots, and does not require any interaction with email functionality. By leveraging Electron archives, the intervention becomes especially resilient. The company warns that similar campaigns will likely proliferate across open-source ecosystems, including npm and PyPI. According to Socket, the threat already extends beyond Ethereum and Solana to include TRON, TON, and other networks.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
