Wallet-Draining npm Package Impersonates Nodemailer to Hijack Crypto Transactions

MITRE Techniques

• [T1195.002 ] Supply Chain Compromise – The malicious npm package modifies downstream Electron applications by unpacking app.asar, injecting a payload, and repacking the archive, enabling unauthorized code in target software: “it runs code that modifies Atomic Wallet on Windows by unpacking the app bundle, overwriting a vendor file with threat actor code, and repacking it.”
• [T1036.005 ] Masquerading: Match Legitimate Resource Name or Location – The package copies nodemailer’s tagline, styling, and README to impersonate the legitimate project and mislead developers: “The package copies the nodemailer … tagline, page styling, and README, impersonating the legitimate project to evade casual inspection.”
• [T1059.007 ] Command and Scripting Interpreter: JavaScript – Malicious JavaScript runs on import to perform filesystem and asar operations that implant code into wallet runtimes: “On import, it runs code that modifies Atomic Wallet … await asar.extractAll(asarIn, workDir); await fs.copyFile(implant, target); await asar.createPackage(workDir, asarIn);”
• [T1608.001 ] Stage Capabilities: Upload Malware – The actor bundles the implant (a.js) within the npm package and copies it into target application archives to stage persistent malicious code: “The threat actor’s payload bundled with this package … await fs.copyFile(implant, target);”
• [T1204.002 ] User Execution: Malicious File – The malicious behavior triggers on import (a developer action) causing silent compromise of installed desktop wallets without explicit user awareness: “Any application that requires this module triggers the tampering, even if no email is sent.”
• [T1657 ] Financial Theft – The implanted runtime code overwrites transaction recipient addresses to redirect multi-chain funds to attacker-controlled wallets: “the injected code overwrites the recipient address with hardcoded wallets controlled by the threat actor.”