Malicious npm Package 'nodejs-smtp' Targets Cryptocurrency Wallets with Supply Chain Attack

Researchers in cybersecurity have uncovered a malicious npm package named 'nodejs-smtp' designed to inject malicious code into desktop applications for cryptocurrency wallets such as Atomic and Exodus on Windows systems. The package mimics the legitimate email library 'nodemailer' with similar hooks, page style, and README descriptions, leading to 347 downloads. This incident exemplifies a supply chain attack, where malicious code is introduced through a trusted channel like npm. The attack leverages typo-squatting, exploiting developers' trust in popular libraries. The focus on cryptocurrency wallets indicates a targeted effort to compromise high-value assets, potentially leading to financial losses. Developers must verify package authenticity, use tools like npm audit, and implement strict security policies to mitigate such risks. This incident underscores the critical need for vigilance and proactive measures in securing software dependencies.