Malicious NPM Packages Target PayPal and Crypto Wallet Users in Sophisticated Theft Campaign

Cybercriminals are exploiting malicious NPM packages to steal personal data and siphon funds from PayPal users and cryptocurrency wallets, according to reports from Fortinet and ReversingLabs.

Fortinet has revealed that PayPal users were targeted through several rogue packages created in early March by a threat actor using the aliases tommyboy_h1 and tommyboy_h2. These packages were disguised under PayPal-related names like oauth2-paypal and buttonfactoryserv-paypal to mislead developers into trusting and installing them.

To remain under the radar, the packages utilize a preinstall hook—a script that triggers before the package finishes installation. This mechanism executes malicious code that gathers system data, including sensitive credentials such as usernames and passwords, and transmits them to a remote server via dynamically generated URLs.

Fortinet advises developers to be on alert for suspiciously named NPM packages referencing PayPal and to inspect network activity logs for any unauthorized external connections.

Meanwhile, ReversingLabs has highlighted a similar campaign targeting users of popular cryptocurrency wallets like Atomic Wallet and Exodus. The malicious NPM package involved, named pdf-to-office, masquerades as a tool for converting PDF files into Office formats. However, upon execution, it covertly alters key application files used by the wallets.

While retaining the wallets' original functionalities, the modified files surreptitiously redirect outgoing crypto transactions to wallet addresses controlled by the attackers. Additionally, the malware was observed sending a ZIP file to a remote server, suggesting that it may be exfiltrating sensitive system data.

ReversingLabs cautions that simply uninstalling the malicious package won't undo the damage. A complete reinstallation of the affected wallet applications is necessary to remove the altered components and stop the ongoing redirection of funds.

This campaign underscores the growing trend of attackers embedding sophisticated malware into software supply chains, exploiting trusted ecosystems to gain access to financial assets and sensitive information.