SECURITYWEEK NETWORK:

ICS:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Malicious NPM Packages Target Cryptocurrency, PayPal Users

Threat actors are publishing malicious NPM packages to steal PayPal credentials and hijack cryptocurrency transfers.

Threat actors have been publishing malicious NPM packages to steal the information and funds of PayPal and cryptocurrency wallet users.

Fortinet discovered that PayPal users have been targeted with multiple information-stealing packages that were likely created in early March by a threat actor known as tommyboy_h1 and tommyboy_h2.

The packages used PayPal-related themes such as oauth2-paypal and buttonfactoryserv-paypal to trick developers into installing them. To evade detection, a preinstall hook is used in the malicious packages.

The hook ensures a malicious script is automatically executed before the package’s installation to harvest system data and sensitive information, such as usernames and passwords, and send it to a remote server using a dynamically generated URL.

“To spot a compromise, look for unusual NPM packages with names like ‘paypal’. Other signs include unexpected network connections to unknown servers, so also check your network logs for any suspicious activity,” Fortinet notes.

Users of the cryptocurrency wallet applications Atomic Wallet and Exodus, ReversingLabs warns, have been targeted with a malicious NPM package designed to hijack fund transfers and divert them to crypto addresses controlled by threat actors.

Named pdf-to-office and published in March, the package poses as a library that supports the conversion of PDF files to Microsoft Office documents. Upon execution, however, the package overwrites local files used by Atomic Wallet and Exodus with malicious versions that contain the legitimate functionality of the original but replace outgoing crypto addresses with the attacker’s crypto address.

The malicious code was also seen sending a ZIP archive to a remote server, suggesting that it could also harvest sensitive information from an infected system.

Advertisement. Scroll to continue reading.

ReversingLabs also warns that impacted users would need to completely remove the compromised wallet applications and re-install them. Otherwise, even if the malicious NPM package were removed, the wallets would continue to send funds to the attacker’s address.

Related: 9-Year-Old NPM Crypto Package Hijacked for Information Theft

Related: Snyk Says ‘Malicious’ NPM Packages Part of Research Project

Related: Open Source Package Entry Points May Lead to Supply Chain Attacks

Related:Cryptocurrency Wallets Targeted via Python Packages Uploaded to PyPI

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

More from

Latest News

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Virtual Event: Threat Detection and Incident Response Summit
May 21, 2025

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Webinar: Which Security Testing Approach is Right for You?
March 25, 2025

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

Wendi Whitmore has taken the role of Chief Security Intelligence Officer at Palo Alto Networks.

Phil Venables, former CISO of Google Cloud, has joined Ballistic Ventures as a Venture Partner.

David Currie, former CISO of Nubank and Klarna, has been appointed CEO of Vaultree.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.