Malicious NPM Packages Target PayPal and Crypto Wallet Users
Cybersecurity researchers have uncovered a wave of malicious NPM packages designed to steal sensitive data and funds from PayPal and cryptocurrency wallet users.
According to Fortinet, multiple information-stealing packages were uploaded to NPM by a threat actor operating under the aliases tommyboy_h1 and tommyboy_h2. These packages, which appeared in early March, used PayPal-themed names like oauth2-paypal and buttonfactoryserv-paypal to trick developers into downloading them.
To remain undetected, the malicious packages included a preinstall hook, which executes harmful scripts automatically before installation. These scripts collect sensitive system data—such as usernames and passwords—and transmit it to a remote server through a dynamically generated URL.
Fortinet advises developers to watch out for suspiciously named NPM packages and monitor for unusual network activity, especially connections to unfamiliar servers.
Meanwhile, cybersecurity firm ReversingLabs has warned of another malicious NPM package targeting users of the Atomic Wallet and Exodus cryptocurrency apps. Disguised as a legitimate tool called pdf-to-office, this package claims to convert PDFs to Office files. Instead, it replaces local wallet files with altered versions that reroute outgoing cryptocurrency transactions to addresses controlled by attackers.
Additionally, the malware sends a ZIP file to a remote server, potentially leaking more sensitive data. ReversingLabs emphasizes that users must fully uninstall and reinstall their wallet apps, as simply deleting the malicious NPM package won't stop the hijacking.
Found this article interesting? Follow us on X(Twitter) and FaceBook to read more exclusive content we post.
