Discovery of a Malicious Package
Cybersecurity experts have identified a deceptive npm package called nodejs-smtp, designed to compromise desktop applications for cryptocurrency wallets such as Atomic and Exodus on Windows systems.
The package was uploaded to the npm registry in April 2025 by a user named “nikotimon.” Although it has since been removed, it managed to attract 347 downloads. To deceive developers, the package replicated Nodemailer’s legitimate branding, including its tagline, documentation style, and README descriptions.
How the Attack Works
According to Socket researcher Kirill Boychenko, once imported, the package abuses Electron tooling to:
- Extract the
app.asarfile of Atomic Wallet. - Replace a vendor bundle with a malicious payload.
- Repackage the application.
- Delete its working directory to cover its tracks.
The attack’s core purpose is to replace the recipient wallet address with addresses controlled by the attacker. As a result, cryptocurrency transfers involving Bitcoin (BTC), Ethereum (ETH), Tether (USDT and TRX USDT), XRP (XRP), and Solana (SOL) are silently redirected, effectively turning the package into a crypto clipper.
Dual Functionality to Avoid Suspicion
To reduce suspicion, the package still works as a functioning SMTP mailer, maintaining compatibility with Nodemailer. This ensures that:
- Developers can still run tests without issues.
- The dependency behaves like a legitimate library.
- Suspicion remains low because the advertised function is delivered.
Expert Warning
“This campaign demonstrates how a seemingly harmless import can secretly alter separate desktop applications and persist across reboots,” Boychenko said. “By exploiting import-time execution and Electron packaging, attackers can transform a fake mailer into a wallet drainer, compromising both Atomic and Exodus wallets on Windows machines.”
Indicators of Compromise (IOCs)
| Type | Indicator | Description |
|---|---|---|
| Package Name | nodejs-smtp | Malicious npm package impersonating nodemailer |
| Author | nikotimon | npm account that uploaded the malicious package (April 2025) |
| Legitimate Target | nodemailer | Legitimate library mimicked by the attacker |
| File Path | app.asar (Atomic Wallet, Exodus Wallet) | Targeted Electron archive unpacked and modified |
| Modified Components | Vendor bundle inside app.asar | Replaced with malicious payload |
| Cryptocurrency Wallets | BTC, ETH, USDT, TRX USDT, XRP, SOL | Transactions redirected to attacker-controlled wallets |
| Related Package | pdf-to-office | Previous malicious npm package with similar wallet-drainer behavior |
| Downloads | 347 | Number of downloads before package removal |
| Platforms | Windows | Attack focused on Atomic and Exodus wallets running on Windows systems |
