One Import — and Your Cryptocurrency Flows to Hackers. What Did They Find in the Depths of Atomic Wallet?
AI assistants now not only write code but also recommend the best ways to lose your savings.
AI assistants now not only write code but also recommend the best ways to lose your savings.
Specialists at Socket have discovered a malicious npm package named nodejs-smtp, which masquerades as the popular nodemailer library (average download volume: 3.9 million per week) but is actually a tool for covertly interfering with cryptocurrency wallets and intercepting transactions. Upon installation and import, the package modifies the structure of the desktop Atomic Wallet application on Windows, injects malicious JavaScript into it, and stealthily replaces the recipient's cryptocurrency address with the attacker's wallet.
As of now, the malicious package is still available in the npm registry, and the Socket team has submitted a request for its removal and the blocking of the associated developer account, nikotimon.
The attack script launches immediately after the module is installed. Upon import, a function called patchAtomic is executed. This function:
- Finds the installed Atomic Wallet application on the disk.
- Extracts the contents of its main app.asar archive.
- Replaces the vendors.*.js file in the dist/electron directory with a malicious script (a.js).
- Repackages the application.
- Deletes all temporary files and directories to cover its tracks.
Thus, any developer who installs nodejs-smtp and runs their application automatically triggers the infection. Even if email functionality is never used, the wallet modification still occurs. This is especially dangerous if the module enters a project through transitive dependencies or is copied from examples online and from AI assistants: by name, description, and API, it completely mimics nodemailer, meaning it can deceive even an experienced developer.
For camouflage, the malicious library does actually perform email client functions and is compatible with the nodemailer interface, allowing it to pass tests successfully and not raise suspicion. Besides Atomic Wallet, the module also targets the Exodus application. Specialists recorded attempts to modify the app.asar archives of both wallets. After the malicious code is injected, the temporary directories are deleted, making attack detection difficult.
Analysis shows the campaign was planned in advance, has a scalable structure, and can be reused in other malicious packages. Although the activity of the nikotimon account currently remains low, the nature of the code and infection mechanisms indicates a high threat level and potential for significant damage.
A particular cause for alarm is the fact that such libraries are increasingly finding their way into projects thanks to generative tools that "invent" realistic package names. If a developer asks an AI assistant to recommend a library for sending email from Node.js, the model might suggest the seemingly correct name nodejs-smtp—and the user, without a second thought, will install the counterfeit.
Socket emphasizes that attack methods are becoming increasingly sophisticated: the malicious code activates upon simple import, modifies third-party applications, persists between reboots, and doesn't even require interaction with its email functions. The targeting of Electron archives makes the interference particularly persistent. The company urges others to expect an increase in the number of such attacks through open-source ecosystems, including npm and PyPI. According to Socket, such campaigns already target not only Ethereum and Solana but also TRON, TON, and other networks.