New Malware Targets Ethereum, XRP, and Solana Wallets to Steal Funds

Cybersecurity researchers have uncovered malware operations targeting holders of Ethereum, USDT, XRP, and Solana. This malware compromises software packages used by developers, allowing it to execute unauthorized cryptocurrency transactions without user knowledge.

Attack Mechanism

The attack begins when developers unknowingly include compromised node package manager (NPM) packages in their projects.
One such package, "pdf-to-office," appears legitimate but contains malicious code.
The malware searches for installed crypto wallets and injects code to intercept transactions.

Impact on Multiple Cryptocurrencies

The malware can divert transactions across major cryptocurrencies, including Ethereum, USDT, XRP, and Solana.
This marks a significant escalation in software supply chain attacks against cryptocurrency users.

Technical Insights

Researchers identified the campaign via scans for suspicious NPM packages, revealing warning signs such as dubious URLs and familiar threat structures.
The malware employs advanced evasion techniques and operates through multiple stages.
It targets wallet application files in predetermined locations before executing its malicious code.

No Visible Warning Signs

Transactions appear normal in the wallet interface, with the malware replacing valid recipient addresses with those controlled by attackers using base64 encoding.
Users may only realize their funds are missing after checking blockchain records post-transaction.

Cryptocurrency users are advised to verify all transaction addresses carefully. Developers should also ensure the security of any packages integrated into their cryptocurrency projects.