Malware Steals ETH, XRP, and SOL from Crypto Wallets Without Users’ Knowledge

Posted on: Updated on:
malware steals eth, xrp, and sol from crypto wallets without users' knowledge
Image source: CryptoPoint.bg

Cybersecurity experts have uncovered a new malicious campaign aimed at stealing cryptocurrencies like Ethereum (ETH), XRP, and Solana (SOL) from popular wallets such as Atomic Wallet and Exodus. The attack leverages malicious NPM packages that silently redirect transactions to hacker-controlled addresses without the user’s knowledge.

How Does the Attack Work?

The attack begins when developers unknowingly install infected NPM packages into their projects. One of the flagged packages is “pdf-to-office”, which appears legitimate but contains hidden malicious code.

Once installed, the package scans the system for installed crypto wallets and injects malicious code that intercepts and reroutes transactions. According to researchers, this marks an escalation in supply chain attacks.

Technical Details of the Attack

  • The malware searches for specific system paths where wallet files are located.
  • It extracts the application archives, injects code, then repackages them to appear normal.
  • It uses base64 encoding to hide the attacker’s addresses within the code.
  • When sending funds (e.g., ETH), the recipient address is replaced with a base64-decoded address controlled by the attacker.

Who Discovered the Attack?

  • The company ReversingLabs identified the campaign by analyzing suspicious NPM packages. They discovered:
  • Suspicious connections to URL addresses,
  • Code pattern matches with known threats,
  • A multi-stage attack using advanced code obfuscation techniques.

Potential Consequences for Users

What makes this attack especially dangerous is that the user receives no visual warning about the compromised transaction. The wallet interface displays everything as normal, while in reality the funds are being sent to attackers.

Users often discover the fraud only after checking the blockchain transaction and noticing the cryptocurrency was sent to an unknown address.

Conclusion:

This new wave of crypto malware shows that threats in the Web3 space are becoming increasingly sophisticated and harder to detect.

Both users and developers must be extremely cautious about the sources of code they install, as well as every transaction they perform. In the digital world, double-checking means safety once.

Мартин Н.

Founder of CryptoPoint.bg and programmer with over 17 years of experience, crypto enthusiast with deep knowledge in software development and passion for decentralization, Martin created CryptoPoint.bg to help anyone who wants to gain insight into the future of digital assets, current crypto news, analytics and blockchain innovations.

Related news