Bitcoin 
Ethereum 
Tether 
XRP 
BNB 
Solana 
USDC 
Dogecoin 
Cardano 
TRON 
Lido Staked Ether 
Wrapped Bitcoin 
LEO Token 
Avalanche 
Chainlink 
Sui 
Toncoin 
Stellar 
Shiba Inu 
Hedera 
USDS 
Wrapped stETH 
Bitcoin Cash 
MANTRA 
Litecoin 
Polkadot 
Hyperliquid 
Bitget Token 
Binance Bridged USDT (BNB Smart Chain) 
Pi Network 
Ethena USDe 
WETH 
WhiteBIT Coin 
Monero 
Wrapped eETH 
Uniswap 
OKB 
Coinbase Wrapped BTC 
Dai 
Pepe 
Aptos 
Ondo 
Gate 
NEAR Protocol 
Tokenize Xchange 
Internet Computer 
sUSDS 
Cronos 
BlackRock USD Institutional Digital Liquidity Fund 
Mantle 
Ethereum Classic 
Aave 
Bittensor 
Ethena Staked USDe 
Render 
VeChain 
Kaspa 
Cosmos Hub 
Ethena 
Lombard Staked BTC 
First Digital USD 
Fasttoken 
Official Trump 
Filecoin 
Sonic (prev. FTM) 
POL (ex-MATIC) 
Algorand 
Celestia 
Arbitrum 
Jupiter Perpetuals Liquidity Provider Token 
Solv Protocol SolvBTC 
KuCoin 
Artificial Superintelligence Alliance 
Maker 
XDC Network 
Jupiter 
Optimism 
Story 
Binance Staked SOL 
NEXO 
EOS 
Bonk 
USDT0 
Binance-Peg WETH 
Stacks 
Worldcoin 
Flare 
Kelp DAO Restaked ETH 
Fartcoin 
Sei 
DeXe 
Binance Bridged USDC (BNB Smart Chain) 
PayPal USD 
Movement 
Curve DAO 
Injective 
Polygon Bridged USDT (Polygon) 
Tether Gold 
Rocket Pool ETH 
JasmyCoin 
In response to a growing wave of cyberattacks targeting the cryptocurrency community, threat actors have launched a sophisticated software supply chain aimed at compromising widely used Web3 wallets, including Atomic Wallet and Exodus.
According to researchers at ReversingLabs (RL), the malicious campaign centers on the npm package manager, a popular platform for JavaScript and Node.js developers. Attackers are installing a deceptive package called pdf-to-office, which is falsely promoted as a utility for converting PDF files to Microsoft Office formats. Instead, the package carries malicious code designed to hijack local installations of legitimate crypto wallet software.
Once executed, the pdf-to-office suite silently injects malicious patches into locally installed versions of Atomic Wallet and Exodus. These patches replace the legitimate code with a modified version that allows attackers to intercept and redirect cryptocurrency transactions. In practice, users attempting to send funds would find that their transactions were being redirected to a wallet controlled by the attackers, with no visible signs of tampering.
The attack exploited a subtle and increasingly popular technique: Instead of directly hijacking upstream open-source packages, malicious actors now inject malicious code into local environments by patching legitimate software already installed on the victim’s system.
The pdf-to-office package first appeared on npm in March 2025 and has had multiple versions released in succession. The latest version, 1.1.2, was released on April 1. RL researchers detected the package using machine learning-driven behavioral analysis on the Spectra Assure platform. The code was found to contain obfuscated JavaScript, a common red flag in recent npm malware campaigns.
Notably, the effects persisted even after the malicious package was deleted. Once the Web3 wallets were patched, simply removing the fake npm package did not eliminate the threat. Victims had to completely uninstall and reinstall their wallet application to remove the trojan components and restore wallet integrity.
*This is not investment advice.