A malicious npm package named pdf-to-office has been identified, targeting users of cryptocurrency wallets like Atomic Wallet and Exodus by hijacking transactions.

The attack redirects transactions to addresses controlled by the attacker without the wallet owner's knowledge, significantly increasing risks for cryptocurrency users.

Cybercriminals are continuously evolving their tactics, which highlights the importance of heightened awareness during package downloads.

The absence of visual warning signs can lead to significant losses for cryptocurrency users, stressing the need for caution when confirming transaction details.

The malicious package was first identified on March 24, 2025, and has since been updated multiple times, accumulating 334 downloads by early April.

Developers are urged to verify the security of any packages they include in their cryptocurrency projects to mitigate the risk of such attacks.

Cybersecurity researchers have discovered that this malware specifically targets holders of Ethereum, Solana, and XRP, leading to significant financial thefts.

Victims are often unaware of the theft, as the malware employs base64 encoding to replace legitimate recipient addresses with those controlled by attackers, making transactions appear normal.

Experts are calling for stricter code auditing and dependency management to combat these evolving threats, emphasizing the need for vigilance among developers and users.

This incident underscores a growing trend of supply chain attacks within the open-source npm platform, complicating the identification of vulnerabilities during software development.

ReversingLabs had previously identified similar threats in March, indicating a rise in complex supply chain attacks specifically targeting the cryptocurrency sector.

Once infected, the compromised wallet software continues redirecting funds even after the malicious npm package is uninstalled, requiring users to fully delete their wallets to eliminate the threat.