Beware: Malicious npm Package Impersonates Email Library
▼ Summary
– A malicious npm package named “nodejs-smtp” impersonated the nodemailer library and injected code to redirect cryptocurrency transactions to attacker-controlled wallets.
– The package used Electron tooling to tamper with Atomic Wallet on Windows by unpacking, modifying, and repackaging the application while deleting traces of the process.
– Once active, the malicious code overwrote recipient addresses during transactions, enabling theft of multiple cryptocurrencies including Bitcoin, Ethereum, and Solana.
– The package had convincing branding and documentation that tricked developers, with AI coding assistants potentially contributing to the risk by suggesting incorrect package names.
– Socket researchers warned this attack method is deliberate and scalable, advising developers to use security tools that scan dependencies and block suspicious packages.
Cybersecurity experts have identified a dangerous new npm package that cleverly disguises itself as the popular nodemailer email library. This malicious software not only sends emails but also compromises cryptocurrency wallets by secretly altering transaction details to divert funds to attackers.
The package, called “nodejs-smtp,” uses Electron-based tools to interfere with Atomic Wallet on Windows systems. After being imported, it unpacks the application archive, swaps a legitimate file with harmful code, reassembles the app, and erases any evidence of the intrusion. Once inside the wallet, the malicious code changes transaction recipient addresses to ones controlled by the attacker, enabling the theft of Bitcoin (BTC), Ethereum (ETH), Tether (USDT), TRX, XRP, and Solana (SOL).
Socket’s Threat Research Team, which uncovered the threat, noted that while the package still functioned as an email sender, this normal behavior helped mask its harmful activities. Developers testing their applications would see expected email results, reducing suspicion about the dependency.
The package was published under the alias “nikotimon,” with a registration email linked to darkhorse.tech322@gmail[.]com. Researchers observed that the attacker had not yet accumulated significant stolen funds, suggesting the campaign is relatively new. However, they emphasized that the attack method was deliberate, reusable, and scalable. Following Socket’s report, the npm security team removed the package and suspended the associated account.
Although the malicious package had only 342 downloads, compared to nodemailer’s 3.9 million weekly downloads, its convincing name, similar styling, and nearly identical README made it easy to mistake for the legitimate library. The risk is heightened by the use of AI coding assistants, which can sometimes suggest incorrect or malicious package names.
Common reasons developers might accidentally choose “nodejs-smtp” include searching for phrases like “nodejs smtp example,” selecting the first matching result, or trusting recommendations from AI tools. This incident highlights how a single imported package can modify unrelated applications on a developer’s machine, turning a seemingly harmless email library into a wallet-draining threat.
Security researchers anticipate more attacks of this nature, potentially affecting additional blockchain networks like TRON and TON. They recommend that developers use security tools capable of scanning pull requests, blocking suspicious dependencies during installation, and identifying impersonated packages.
(Source: InfoSecurity Magazine)
