Malicious npm Package Impersonates Popular Nodemailer, Puts 3.9M Weekly Downloads at Risk of Crypto Theft

A sophisticated cryptocurrency theft scheme involving a malicious npm package that masquerades as the widely-used Nodemailer email library while secretly hijacking desktop cryptocurrency wallets on Windows systems.

Socket’s Threat Research Team identified the malicious package, nodejs-smtp, which impersonates the legitimate Nodemailer library that averages approximately 3.9 million weekly downloads.

The fraudulent package employs a clever strategy to avoid detection by maintaining full functional compatibility with Nodemailer’s API while executing its malicious payload in the background.

The package presents itself as a legitimate email solution, complete with copied documentation, styling, and README content from the original Nodemailer project.

This careful impersonation allows it to pass casual inspection and enables application tests to continue functioning normally, giving developers little reason to suspect foul play.

Upon installation, the malicious package automatically executes code that specifically targets Atomic Wallet installations on Windows systems. The attack mechanism involves several ...