Threat actors are increasingly leveraging npm packages, such as pdf-to-office, to execute supply chain attacks. This specific package, disguised as a PDF conversion tool, injects malicious code targeting cryptocurrency wallets like Atomic Wallet and Exodus. An attacker can manipulate the destination address for cryptocurrency transactions, redirecting funds to their own wallet. This technique allows persistence even after removal of the malicious package. Recent discoveries also highlighted other npm packages designed to infect local installations and create backdoor access for attackers.
Effectively, a victim who tried to send crypto funds to another crypto wallet would have the intended wallet destination address swapped out for one belonging to the malicious actor.
What makes this approach an attractive option for threat actors is that it allows the malware to persist on developer systems even after the malicious package is removed.
An analysis of pdf-to-office has revealed that the malicious code embedded within the package checks for the presence of the "atomic/resources/app.asar" archive inside the "AppData/Local/Programs" folder to ascertain that Atomic Wallet is installed on the Windows computer, and if so, introduce the clipper functionality.
The npm package in question was first published on March 24, 2025, and has received three updates since then but not before the previous versions were likely removed by the authors themselves.
Collection
[
|
...
]