Microsoft has warned that attackers hid crypto-stealing malware inside public npm packages, creating a fresh risk for developers, crypto investors and wallet users.
Summary
- Microsoft says npm packages deploy RAT malware that quietly steals crypto wallet credentials from devices.
- Attackers used Hugging Face repos to move stolen data while avoiding suspicious server traffic logs.
- Crypto.news coverage links Microsoft’s warning to wider supply-chain attacks hitting developers and crypto wallet tools.
Microsoft Flags Poisoned npm Packages
Microsoft Threat Intelligence said two compromised npm packages, [email protected] and [email protected], were “abusing Hugging Face repos as exfiltration infrastructure.” The company said the packages deploy a remote access trojan, or RAT, that can collect keystrokes, screenshots and crypto wallet credentials.
Npm is a public software registry used by JavaScript developers to build apps and web tools. When a developer installs a poisoned package, the malware can run quietly on the device and watch for sensitive files, passwords or wallet data.
Hugging Face Route Raises Detection Risk
The campaign stands out because attackers used Hugging Face, a trusted platform for artificial intelligence and machine learning projects, to move stolen data. That route can make the traffic look less suspicious than a direct link to an unknown criminal server.
For crypto users, this creates a direct security concern. A developer machine may store browser wallets, private keys, seed phrase files, exchange API keys, GitHub tokens and cloud logins. If attackers collect those details, they can target wallets, code repositories and trading systems.
Broader Developer Attacks
Related crypto.news coverage shows that software supply-chain attacks remain a live problem for the crypto sector. A May 25 report said the TrapDoor malware campaign spread through more than 34 malicious packages across npm, PyPI and Rust ecosystems.
That campaign targeted crypto and AI developers by stealing wallet data, API keys, cloud credentials and SSH access through fake developer tools. It also showed how attackers now target the people and systems used to build crypto apps, not only end users.
Crypto.news also reported in March that Slow Fog had warned developers about malicious Axios releases. The poisoned versions pulled in plain-crypto-js malware and exposed crypto developers to cross-platform RATs and stolen credentials through npm.
Cryptojacking Adds Another Microsoft Alert
Microsoft’s warning follows another malware report from its security teams. On May 26, Microsoft said attackers used poisoned search results and some AI chatbot interactions to spread fake PC utility downloads that installed GPU mining malware.
That campaign targeted users with powerful graphics cards, including gamers and hardware enthusiasts. Microsoft said the malware abused ScreenConnect, Microsoft .NET utilities and fake downloads for tools such as CrystalDiskInfo and HWMonitor to run crypto miners.
The latest npm warning keeps attention on basic security steps. Developers should audit recent package installs, remove suspicious dependencies, rotate exposed credentials and check wallet activity. Crypto users should avoid storing seed phrases on connected devices and verify every wallet transaction before signing.
