Cybersecurity researchers have recently uncovered a malicious npm package that poses significant risks to cryptocurrency wallet applications on Windows systems. This nefarious package, named nodejs-smtp, is designed to inject harmful code into popular wallets like Atomic and Exodus, raising alarms across the tech community.
The malicious package was cunningly crafted to imitate the legitimate email library nodemailer, featuring identical taglines, page styling, and README descriptions. Despite being uploaded to the npm registry in April 2025 by a user identified as “nikotimon,” the package has since been taken down. During its short lifespan, it garnered a total of 347 downloads, suggesting a wider threat to developers who may have unknowingly utilized it.
When imported, the package employs Electron tooling to manipulate the Atomic Wallet’s app.asar file. It replaces a legitimate vendor bundle with a malicious payload, subsequently repackaging the application and erasing any evidence of tampering by deleting its working directory. According to Kirill Boychenko, a researcher at Socket, this intricate process serves a nefarious purpose: to redirect transactions from unsuspecting users to hard-coded wallet addresses controlled by the threat actors.
The threat remains particularly pernicious as it enables the redirection of various cryptocurrency transactions, including Bitcoin (BTC), Ethereum (ETH), Tether (USDT and TRX USDT), XRP, and Solana (SOL). This makes the package functionally act as a cryptocurrency clipper, siphoning funds from vulnerable users.
Despite its malicious intent, nodejs-smtp fulfills its advertised function of acting as an SMTP-based mailer. This functional facade reduces developer suspicion, allowing application tests to pass without red flags. The package provides a drop-in interface that aligns with the nodemailer API, hence offering little reason for developers to question its legitimacy.
This discovery follows a previous alarming incident where another npm package, named “pdf-to-office,” was identified with similar capabilities. It demonstrated the potential for malware to infiltrate developer workstations and targeted the same cryptocurrency wallets by modifying JavaScript files within app.asar archives.
Boychenko warns that the current campaign showcases the vulnerability developers face while managing dependencies in their projects. “A routine import on a developer workstation can quietly modify a separate desktop application and persist across reboots,” he noted. By taking advantage of the import time execution and Electron packaging, an ostensibly harmless mailer can transform into a wallet drainer, severely impacting users who rely on trusted cryptocurrency wallets for their digital assets.
