Threat actors have been publishing malicious NPM packages to steal the information and funds of PayPal and cryptocurrency wallet users.
Fortinet discovered that PayPal users have been targeted with multiple information-stealing packages that were likely created in early March by a threat actor known as tommyboy_h1 and tommyboy_h2.
The packages used PayPal-related themes such as oauth2-paypal and buttonfactoryserv-paypal to trick developers into installing them. To evade detection, a preinstall hook is used in the malicious packages.
The hook ensures a malicious script is automatically executed before the package’s installation to harvest system data and sensitive information, such as usernames and passwords, and send it to a remote server using a dynamically generated URL.
“To spot a compromise, look for unusual NPM packages with names like ‘paypal’. Other signs include unexpected network connections to unknown servers, so also check your network logs for any suspicious activity,” Fortinet notes.
Users of the cryptocurrency wallet applications Atomic Wallet and Exodus, ReversingLabs warns, have been targeted with a malicious NPM package designed to hijack fund transfers and divert them to crypto addresses controlled by threat actors.
Named pdf-to-office and published in March, the package poses as a library that supports the conversion of PDF files to Microsoft Office documents. Upon execution, however, the package overwrites local files used by Atomic Wallet and Exodus with malicious versions that contain the legitimate functionality of the original but replace outgoing crypto addresses with the attacker’s crypto address.
The malicious code was also seen sending a ZIP archive to a remote server, suggesting that it could also harvest sensitive information from an infected system.
ReversingLabs also warns that impacted users would need to completely remove the compromised wallet applications and re-install them. Otherwise, even if the malicious NPM package were removed, the wallets would continue to send funds to the attacker’s address.
Related: 9-Year-Old NPM Crypto Package Hijacked for Information Theft
Related: Snyk Says ‘Malicious’ NPM Packages Part of Research Project
Related: Open Source Package Entry Points May Lead to Supply Chain Attacks
Related:Cryptocurrency Wallets Targeted via Python Packages Uploaded to PyPI