Crypto Wallets Under Siege: Researchers Uncover New Malware Threatening Digital Assets

BREAKING: Digital vaults face unprecedented security crisis as cybersecurity experts expose sophisticated malware targeting cryptocurrency holdings.

THE STEALTH INVASION

This isn't your typical phishing scam—this malware bypasses conventional security measures, infiltrating wallets through seemingly legitimate applications. It operates silently, siphoning funds without triggering standard alerts.

THE EXPLOITATION MECHANISM

The malicious code mimics system processes, granting attackers remote access to private keys and seed phrases. It targets both hot and cold storage solutions, compromising what users believed were ironclad security setups.

INDUSTRY RESPONSE

Major wallet providers scramble to deploy patches while security firms race to develop detection tools. The timing couldn't be worse—just when traditional finance finally stopped calling crypto a 'passing fad.'

PROTECT YOUR ASSETS

Update your software immediately, enable multi-factor authentication, and verify all application sources. Remember: in crypto, your security is only as strong as your weakest link—usually between the chair and the keyboard.

ModStealer exploits Node.js to steal private keys

According to research by 9to5Mac, ModStealer malware disguised itself on macOS systems as a background helper program to achieve persistence, ensuring it ran automatically every time the computer restarted. The infected systems had a file labeled sysupdater.dat and unusual connections to suspicious servers. 

Shan Zhang, chief information security officer at SlowMist, a blockchain security company, revealed that ModStealer evades detection by mainstream antivirus software and poses a significant risk to the digital asset ecosystem. He added that the malware has multi-platform support and stealth execution, which differentiates it from traditional malware. 

Charles Guillemet, Ledger CTO, revealed another similar attack that allowed attackers to compromise a Node Package Manager (npm) developer account in an attempt to spread malicious code, which may silently replace wallet addresses during transactions. He cautioned that such incidents show how vulnerable blockchain-related code libraries can be.

“The attackers’ mistakes caused crashes in CI/CD pipelines, which led to early detection and limited impact. Still, this is a clear reminder: if your funds sit in a software wallet or on an exchange, you’re one code execution away from losing everything. Supply chain compromises remain a powerful malware delivery vector, and we’re also seeing more targeted attacks emerge.”

–Charles Guillemet, Ledger CTO

Zhang warned that the ModStealer malware presents a direct threat to crypto users and platforms, adding that for individual users, the compromise of private keys, seed phrases, and exchange API keys may lead to immediate losses. He also noted that mass theft of browser extension wallet data could fuel large-scale on-chain exploits and weaken user trust while increasing risks across crypto supply chains. 

New cyber exploits target crypto wallets data

Guillemet discovered that the JavaScript ecosystem was compromised by a massive supply chain attack targeting libraries such as chalk, strip-ansi, color-convert, and error-ex. The affected packages have been downloaded more than one billion times a week, which presents a severe threat to the blockchain ecosystem. 

The malicious software worked as a crypto-clipper, meaning it could replace wallet addresses in network requests or modify transactions initiated via MetaMask and other wallets. The attack was discovered via a minor CI/CD pipeline build failure. The researchers later found that the malware used two strategies. The first strategy was passive address swapping, which monitored outgoing traffic requests and replaced wallet addresses with the hijacker’s controlled ones. It used the Levenshtein distance algorithm, which selects lookalike addresses, making it visually difficult to detect changes.

Another method the attackers utilized was active transaction hijacking, which modifies pending transactions in memory before forwarding them for user approval once a crypto wallet is detected. This tricked users into signing transfers directly to the attacker’s wallet.

Similar incidents have been reported on Cryptopolitan recently, where ReversingLabs’ research revealed another malware concealed on ethereum smart contracts. The attack was downloaded via npm packages, including colortoolv2 and mimelib2, which acted as second-stage agents, fetching the malicious software stored on the Ethereum blockchain. 

ReversingLabs revealed that the malicious software bypassed security scans by hiding the malicious URLs within the Ethereum smart contracts. It was later downloaded through fake GitHub repositories, which posed as cryptocurrency trading bots. The operation was linked to Stargazer’s Ghost Network, a system of coordinated attacks that boost the legitimacy of malicious repositories.

If you're reading this, you’re already ahead. Stay there with our newsletter.