Do Son 
List of TH policies in package pdf-to-office@1.0.2
Software supply chain attacks are becoming increasingly sophisticated, with malicious actors disguising harmful code as legitimate libraries and embedding it into developers’ environments. A recent example is the malicious npm package named “pdf-to-office,” discovered by researchers at Reversing Labs. Purporting to offer functionality for converting PDF documents into Word format, its true purpose was far more nefarious: hijacking cryptocurrency wallets belonging to users of Atomic Wallet and Exodus.
Published on March 24, 2025, the package has already undergone three updates, with the most recent version, 1.1.2, released on April 8—still available for download. To date, it has been downloaded 334 times. Upon installation, the package checks for the presence of the “app.asar” archive in the Atomic Wallet directory and proceeds to embed malicious code directly into the wallet’s application files.
What makes this attack particularly insidious is its specificity: if the malware detects Atomic Wallet versions 2.91.5 or 2.90.6, it replaces one of the files in the archive with a tampered counterpart. This altered file performs the same functions as the original but reroutes transactions to an attacker-controlled wallet address encoded in Base64. Consequently, when a user attempts to send cryptocurrency, the recipient address is covertly swapped with that of the attacker.
A similar method targets Exodus, specifically versions 25.13.3 and 25.9.2. The malware replaces the “index.js” file within the wallet’s user interface, redirecting funds to the attacker’s account.
Crucially, deleting the npm package does not neutralize the threat. The compromised files within the cryptocurrency wallets persist and continue to operate, even after the infected package is removed. The only effective remediation is a complete removal of the wallet software, followed by a fresh installation from a verified source.
This disclosure follows a series of exposés on compromised developer tools. Previously, malicious npm packages such as ethers-provider2 and ethers-providerz were found to infect local libraries and enable remote access via SSH.
Further compounding the threat are malicious Visual Studio Code extensions. Researchers from ExtensionTotal identified ten such extensions that downloaded PowerShell scripts to disable Windows security features, created scheduled tasks for persistence, and launched the XMRig cryptocurrency miner. Among the rogue extensions were imitations of well-known tools such as Prettier, Solidity Compiler, ChatGPT Agent, and others.
These malicious extensions had accumulated over a million installations before being taken down. In some cases, attackers even bundled legitimate versions of the tools to avoid detection, quietly mining cryptocurrency in the background while users continued their routine development tasks.
