Developers and cryptocurrency users have a new threat to worry about—malicious NPM packages designed to steal credentials and hijack transactions. Researchers have uncovered a disturbing rise in deceptive NPM modules targeting PayPal and crypto wallet users, raising concerns about software supply chain security.
Security experts at Fortinet recently revealed that a threat actor, operating under the aliases tommyboy_h1 and tommyboy_h2, uploaded multiple rogue packages to the NPM registry. These packages were carefully named to impersonate legitimate PayPal tools, using labels like oauth2-paypal and buttonfactoryserv-paypal. The goal? To trick unsuspecting developers into downloading them.
What makes these packages especially dangerous is their use of a preinstall script hook—a hidden feature that executes a malicious script before the actual package installs. Once triggered, the script collects system information, including usernames and passwords, and sends it to a remote server using a dynamically generated URL, making the attack harder to trace.
Fortinet urges developers to be alert for any suspicious NPM packages with PayPal-related names. They also recommend checking for unusual outbound network traffic, which may indicate unauthorized connections to unknown servers.
But PayPal isn’t the only target.
Security firm ReversingLabs has issued a warning about another malicious NPM package, this time targeting cryptocurrency wallet users. The package, named pdf-to-office, pretends to be a tool for converting PDF files into Microsoft Office documents. In reality, it’s a trojan horse designed to interfere with crypto wallets like Atomic Wallet and Exodus.
Once installed, pdf-to-office modifies local configuration files for the wallet apps. It swaps out the user’s outgoing crypto addresses with those controlled by the attacker, essentially redirecting funds to the hacker during transfers. Shockingly, the altered wallets still function normally, making the theft hard to detect.
The malicious code also uploads a ZIP archive to a remote server, possibly containing sensitive system data. That means the threat doesn’t stop at stolen crypto—it could lead to broader data leaks as well.
ReversingLabs advises impacted users to do more than just delete the package. Even after removing the rogue NPM module, the compromised wallets remain a threat. The only way to stop the attack is to fully uninstall the affected crypto apps and perform a clean reinstall.
These incidents are the latest in a wave of software supply chain attacks targeting open-source ecosystems like NPM. With the growing popularity of JavaScript-based applications, attackers arae clearly setting their sights on developer tools to reach wider audiences—stealing both financial data and digital assets in the process.
