Microsoft’s Threat Intelligence team has issued an urgent alert about a novel malware campaign that embeds crypto-stealing code inside widely used open-source packages on npm, the JavaScript package registry. The attackers compromised two specific packages—[email protected] and [email protected]—to deploy a Remote Access Trojan (RAT) on developer machines and any system that downloads the poisoned code.
Once installed, the RAT silently monitors the victim’s device, recording keystrokes, taking screenshots, and scanning for stored private keys, seed phrases, wallet credentials, browser wallets, exchange API keys, GitHub tokens, and cloud logins. The threat is particularly dangerous for crypto investors and wallet users because a compromised developer machine can expose every piece of sensitive data needed to drain wallets or hijack accounts.
In a twist designed to avoid detection, the stolen data is exfiltrated through Hugging Face, a trusted platform for AI and machine learning projects. By routing the traffic to Hugging Face repositories instead of a blacklisted criminal server, the attackers make the data flow appear legitimate, allowing it to slip past basic security filters. Microsoft emphasized that this tactic “abusing Hugging Face repos as exfiltration infrastructure” makes the campaign significantly harder to spot.
The npm warning arrives amid a broader trend of supply-chain attacks aimed at crypto developers. Crypto.news previously reported the TrapDoor malware campaign, which spread through 34 malicious packages across npm, PyPI, and Rust ecosystems, targeting wallet data and SSH access. Earlier, malicious Axios releases laced with plain-crypto-js malware exposed crypto developers to cross-platform RATs. These incidents show that threat actors now routinely target the tools and pipelines used to build crypto applications, not just end-users.
Separately, Microsoft also flagged a cryptojacking threat that uses SEO poisoning and fake AI chatbot recommendations to distribute GPU mining malware. That campaign preys on gamers and hardware enthusiasts with high-end graphics cards, secretly siphoning their processing power to mine crypto.
Microsoft advises all developers to immediately audit their npm dependencies, rotate any potentially exposed credentials, and check wallet activity. Crypto users should never store seed phrases on internet-connected devices and should verify every wallet transaction before signing.
