Users of the Atomic and Exodus wallets are being targeted by threat actors uploading malicious software packages to online coding repositories to steal crypto private keys in the latest cybersecurity threat identified by security professionals.
According to cybersecurity researchers at ReversingLabs, the exploit works by hiding malicious code in seemingly legitimate npm software packages, which are pre-built bundles of code widely used by software developers.
These malicious software packages target locally installed Atomic Wallet and Exodus Wallet files by installing a patch that overwrites the files to compromise the user interface and fool the unsuspecting victim into sending crypto to scam addresses.
Software supply chain attacks are an emerging threat vector targeting crypto holders as the industry continues to play a cat-and-mouse game with hackers attempting to steal user funds using increasingly sophisticated methods to avoid detection.
The malicious code contained in the pdf-to-office package. Source: ReversingLabs
Related: $2B lost to crypto hacks in Q1 2025, $1.63B from access control flaws
Hackers target crypto community in increasingly sophisticated attacks
According to cybersecurity firm Hacken, crypto hacks and exploits cost the industry roughly $2 billion in losses during Q1 2025, most of which came from the $1.4 billion Bybit hack in February.
The SafeWallet developer released a post-mortem update in March 2025 outlining a forensic analysis of the single biggest hack in crypto history.
SafeWallet’s analysis ultimately found that a Safe developer’s computer was compromised by hackers who hijacked the developer’s Amazon Web Services session tokens to access the firm’s development environment and set up the Bybit attack.
Jameson Lopp, a cypherpunk and chief security officer at Bitcoin (BTC) custody company Casa, recently sounded the alarm on BTC address poisoning attacks.
A breakdown of the losses caused by crypto hacks and exploits in Q1 2025. Source: Hacken
Address poisoning attacks target victims by generating destination addresses that match the first four and the last four characters of an address from the victim’s transaction history.
The threat actor then sends a transaction from the malicious address for a small amount, typically below one dollar, to the target so that the address will show up in a victim’s transaction history.
If the victim is not paying attention by carefully examining the entire address, they may mistakenly send funds to the malicious address, which closely resembles the destination.
Cybersecurity firm Cyvers estimates that address poisoning attacks were responsible for $1.2 million in stolen funds in March 2025 alone.
Magazine: $55M DeFi Saver phish, copy2pwn hijacks your clipboard: Crypto Sec
