Full Report
ReversingLabs reveals a malicious npm package targeting Atomic and Exodus wallets, silently hijacking crypto transfers via software patching.
Analysis Summary
# Tool/Technique: Malicious npm Package Hijacking Crypto Transfers
## Overview
A malicious package distributed via the npm registry was discovered that specifically targets users of desktop cryptocurrency wallets like Atomic Wallet and Exodus Wallet. The purpose of this malware is to silently intercept and hijack cryptocurrency transfers initiated by the user, redirecting the funds to an attacker-controlled address.
## Technical Details
- Type: Malware (Specifically, a malicious package/dependency)
- Platform: Node Package Manager (npm) ecosystem, targeting desktop applications using installed libraries (likely Windows/macOS/Linux environments where the wallets are installed and the dependency is used).
- Capabilities: Intercepting clipboard data or system calls related to cryptocurrency addresses during transaction setup, and substituting the legitimate destination address with a malicious one.
- First Seen: Not specified in the provided text, but context implies a recent discovery by ReversingLabs.
## MITRE ATT&CK Mapping
The primary technique involves manipulating an application's environment or code execution path, though specific mappings depend on the exact infection vector within the npm package lifecycle.
- **TA0005 - Defense Evasion** (Implicit, by masquerading as a legitimate package)
- **TA0002 - Execution** (When the malicious dependency code runs)
- **TA0008 - Lateral Movement** (Less likely, as it's focused on hijacking funds)
- **TA0011 - Command and Control** (If it communicates with a C2 server to obtain/report addresses)
*Note: Specific technique IDs are unavailable as the article does not detail the exact code execution or interception method (e.g., pre/post-install scripts, dependency confusion, or runtime hooks).*
## Functionality
### Core Capabilities
- **Supply Chain Intrusion:** Utilizing the widely used npm repository to distribute malicious code disguised as a legitimate or necessary package.
- **Targeted Theft:** Specifically designed to target funds managed by Atomic Wallet and Exodus Wallet users.
### Advanced Features
- **Silent Address Substitution:** The key feature is the ability to monitor or modify cryptocurrency addresses used by the targeted wallets, ensuring the user sends assets to the attacker's address without realizing the change. This often involves monitoring the clipboard or the application's designated wallet address field.
## Indicators of Compromise
- File Hashes: [No specific hashes provided]
- File Names: [No specific file names provided, identified by package name]
- Registry Keys: [Not specified]
- Network Indicators: [No specific C2 indicators provided]
- Behavioral Indicators: Unauthorized modifications to cryptocurrency addresses during transaction processes involving Atomic or Exodus Wallet clients.
## Associated Threat Actors
- [Unspecified threat actors (likely financially motivated cryptocurrency thieves)]
## Detection Methods
- [No specific detection methods provided in the snippet.]
## Mitigation Strategies
- **Supply Chain Verification:** Thoroughly vet all dependencies installed via npm, especially ensuring package integrity and checking authorship/popularity if installing less frequently used libraries.
- **Manual Address Verification:** Users should always cross-check the copied destination wallet address on a secondary device or by manually retyping crucial parts of the address before finalizing any cryptocurrency transaction.
- **Monitor Installation Scripts:** Reviewing `preinstall`, `install`, and `postinstall` scripts within `package.json` for unfamiliar or suspicious execution commands before installing new packages.
## Related Tools/Techniques
- Dependency Confusion Attacks (A similar supply chain method often utilized in the npm ecosystem).
- Cryptocurrency Clipboard Hijackers (Other malware types focused solely on modifying clipboard contents containing crypto addresses).