A new malicious npm package impersonating the widely used nodemailer library has been uncovered by cybersecurity researchers.
The package, named “nodejs-smtp,” not only functioned as an email sender but also injected code into desktop cryptocurrency wallets, silently redirecting transactions to wallets controlled by the attacker.
When imported, nodejs-smtp used Electron tooling to tamper with Atomic Wallet on Windows. The package unpacked the app archive, replaced a vendor file with malicious code, repackaged the application, and then deleted traces of the process.
Once active inside the wallet, the payload overwrote the recipient address during transactions with pre-set addresses tied to the attacker. This allowed for the theft of Bitcoin (BTC), Ethereum (ETH), Tether (USDT), TRX (USDT), XRP and Solana (SOL).
Socket’s Threat Research Team, which discovered the threat, said that although the package remained capable of sending emails, its functional cover concealed the malicious operations. Developers testing applications typically saw expected results, making it less likely that they questioned the dependency.
Read more on cryptocurrency wallet security: Npm Package Hijacked to Steal Data and Crypto via AI-Powered Malware
The package was published under the alias nikotimon, with a registration email tied to darkhorse.tech322@gmail[.]com. Socket researchers noted that the attacker had not accumulated significant funds, likely because the campaign is recent. However, they warn that the tooling was “deliberate, reusable, and scalable.”
Socket petitioned the npm security team for both the removal of the package and the suspension of the associated account, which have now been completed.
Why Developers Are at Risk
The malicious package had only 342 downloads at the time of Socket’s publication, compared to nodemailer’s 3.9 million weekly downloads.
Its convincing name, copied styling and nearly identical README, however, made it easy for developers under pressure to mistake it for the real library. That risk was compounded by AI coding assistants, which can suggest plausible but incorrect package names.
Common reasons developers may inadvertently choose nodejs-smtp included:
Socket researchers emphasized that this campaign demonstrates how a single import can modify unrelated applications on a developer’s workstation. By combining import-time execution with Electron manipulation, a harmless-looking mailer became a wallet drainer.
The team expects more attacks of this type to emerge, affecting not just Ethereum and Solana but also TRON, TON and other chains. Socket advised developers to rely on security tools that scan pull requests, block suspicious dependencies at install time and flag impersonated packages.
