Back

Microsoft Alerts on npm Malware Targeting Cryptocurrency Wallets

Severity: High (Score: 74.0)

Sources: Analyticsinsight, Arabictrader

Published: 2026-06-03 · Updated: 2026-06-03

Keywords: microsoft, malware, warns, threat, wallets, crypto, investors

Severity indicators: malware

Summary

Microsoft's Threat Intelligence unit has issued a warning about a cyber campaign targeting cryptocurrency investors and software developers through compromised npm packages. The malware, embedded in two specific packages, acts as a remote access Trojan, capable of logging keystrokes and stealing sensitive wallet credentials. This attack leverages the Hugging Face platform to obscure the data exfiltration process, making detection difficult for conventional security systems. The campaign is part of a broader trend of software supply chain attacks that have recently affected multiple ecosystems, including Python and Rust. Microsoft recommends developers audit their dependencies, remove suspicious packages, and monitor wallet activity to mitigate risks. The threat highlights the evolving tactics of attackers who now focus on development tools rather than just end-user systems. Users are advised against storing sensitive information on connected devices and to verify transactions before approval. Key Points: • Attackers are using compromised npm packages to deploy remote access Trojans. • The malware can log keystrokes and steal cryptocurrency wallet credentials. • Microsoft urges developers to perform security audits and monitor wallet activity.

Detailed Analysis

**Impact** Cryptocurrency investors and software developers using npm packages are affected by malware that steals wallet keys, passwords, and sensitive data. The campaign targets users globally, focusing on those involved in crypto wallet management and application development. Stolen data includes private keys, API keys, cloud credentials, and SSH access, risking unauthorized crypto transactions and broader account compromises. The attack also impacts AI and machine learning developers due to the use of Hugging Face for data exfiltration. **Technical Details** Attackers compromised two npm packages, [email protected] and [email protected], embedding a remote access Trojan (RAT) capable of keystroke logging, screenshot capture, and credential theft. The malware operates silently post-installation and exfiltrates data via Hugging Face, a legitimate AI platform, to evade detection. This supply chain attack leverages poisoned open-source dependencies and blends crypto theft with AI ecosystem tools. No CVEs or specific infrastructure IPs/URLs were disclosed in the sources. **Recommended Response** Developers should immediately audit and remove suspicious npm dependencies, rotate all exposed credentials, and monitor wallet activity for unauthorized transactions. Avoid storing seed phrases or recovery phrases on internet-connected devices and verify every wallet transaction before approval. Security teams should enhance detection for anomalous data flows to AI platforms like Hugging Face and monitor for unusual npm package behavior. No specific patches were mentioned; focus on dependency hygiene and credential management.

Source articles (2)

  • Crypto News Today: Microsoft Warns Crypto Investors as npm Malware Targets Wallets — Analyticsinsight · 2026-06-03
    Microsoft Threat Intelligence has warned that attackers are targeting cryptocurrency investors by hiding malware inside public npm open-source packages used by developers to build applications. The ca…
  • Microsoft warns of a direct threat to digital currency wallets — Arabictrader · 2026-06-03
    Microsoft has warned of a new cyber campaign targeting software developers and cryptocurrency users, following the discovery of malware hidden within publicly available npm packages, some of which are…

Timeline

  • 2026-05-25 — TrapDoor malware campaign identified: A campaign spread through over 34 malicious npm packages targeting crypto and AI developers.
  • 2026-06-03 — Microsoft issues warning about npm malware: Microsoft alerts developers and crypto users about malware hidden in npm packages that can steal sensitive data.
  • 2026-06-03 — Security recommendations provided: Microsoft advises developers to audit dependencies and avoid storing sensitive information on connected devices.

Related entities

  • Slow Fog (Company)
  • Malware (Attack Type)
  • Supply Chain Attack (Attack Type)
  • Trojan (Attack Type)
  • TrapDoor Campaign (Campaign)
  • Plain-crypto-js (Malware)
  • Trapdoor (Platform)
  • PyPI (Platform)
  • Rust (Platform)
  • Axios (Platform)
  • T1003 - OS Credential Dumping (Mitre Attack)
  • T1041 - Exfiltration Over C2 Channel (Mitre Attack)
  • T1056 - Input Capture (Mitre Attack)
  • T1113 - Screen Capture (Mitre Attack)
  • T1195 - Supply Chain Compromise (Mitre Attack)
  • T1567 - Exfiltration Over Web Service (Mitre Attack)
  • Npm (Tool)
  • CrystalDiskInfo (Tool)
  • Hugging Face (Tool)
  • HWMonitor (Tool)
  • ScreenConnect (Tool)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed