Malicious npm Package ‘nodejs-smtp’ Mimics Nodemailer, Hijacks Atomic and Exodus Wallets

A new malicious npm package has been discovered, and this time the target was not just developers but also cryptocurrency users. The package, named nodejs-smtp, was designed to look like the widely used Nodemailer library. On the surface, it worked like a normal tool for sending emails, but hidden inside was code that attempted to hijack desktop wallets such as Atomic Wallet and Exodus.

Researchers found that once installed, the package would secretly search the system for wallet applications built on Electron. If Atomic or Exodus were found, the malware unpacked the app, replaced one of its vendor files with a malicious version, and then repackaged it so that everything appeared normal. This meant users could continue using their wallets as usual, completely unaware that outgoing transactions were being manipulated in the background.

The attackers’ goal was to silently swap out the destination address when users sent crypto. Instead of sending funds to the intended recipient, the wallets could be redirected to addresses controlled by the attackers. Because the app still functioned normally, victims would have little reason to suspect that anything was wrong until they noticed missing funds.

What made this package particularly dangerous was how convincing it looked. It carried a name similar to Nodemailer, one of the most popular Node.js email libraries, and even provided working email functionality. Developers who installed it might not have questioned its legitimacy, especially since everything seemed to work as expected. This made the hidden attack even more effective and difficult to detect.

The malicious package was uploaded under the npm account “nikotimon.” Researchers from Socket linked it to a specific registration email and published indicators of compromise, including attacker-controlled crypto addresses. Fortunately, the package did not spread widely, but reports showed it had been downloaded more than 340 times before being discovered and removed. Even a few hundred downloads are enough to put unsuspecting users at risk.

This incident is not isolated. Security teams pointed out that a similar strategy was seen in the past with npm packages like pdf-to-office, which also went after Atomic and Exodus wallets. These earlier attacks used almost identical methods of repacking and injecting malicious files into existing wallet applications. The recurrence highlights how supply chain attacks are becoming a recurring threat in the open-source ecosystem.

One of the most concerning aspects is that uninstalling the malicious npm package does not fully fix the problem. Since the attack directly tampers with wallet files, the injected malicious code can remain even after the package is deleted. The only reliable solution is to completely reinstall the wallet app from its official website. Without doing this, users remain exposed to the risk of funds being stolen.

For developers, the lesson is clear: dependencies cannot be taken for granted. Simple steps like verifying the publisher, reviewing download counts, and scanning packages for hidden install scripts can help prevent these types of compromises. Tools that monitor supply chain behavior and flag suspicious activity should also become part of the standard workflow. Supply chain attacks are growing in frequency and sophistication, and even trusted platforms like npm are being abused.

For crypto users, the advice is just as important. Only install wallets from their official sources and be cautious if you notice unusual behavior during transactions. Staying aware of these incidents and keeping wallets up to date can reduce the chances of falling victim to silent wallet hijacking. Developers who may have used nodejs-smtp are strongly advised to reinstall Atomic or Exodus wallets immediately from official channels and scan for any signs of compromise.

The discovery of nodejs-smtp is another wake-up call about the hidden risks in the software ecosystem. Attackers are finding ways to weaponize simple dependencies to achieve far-reaching attacks. Even though the number of downloads was limited in this case, the approach is dangerous and shows how trust in open-source can be exploited. This attack serves as a reminder that vigilance, proper verification, and layered defenses are the best tools we have to protect against supply chain threats.

Stay alert, and keep your security measures updated!

Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news