Crypto wallets under threat as researchers uncover new malware

Mosyle security firm has discovered a malware strain capable of bypassing antivirus software detection and stealing information from crypto browser ￰0￱ malware spreads via fake recruiter ads ￰1￱ antivirus software did not detect ModStealer malware for almost a month before reporting ￰2￱ targeted developers already working with ￰3￱ ￰4￱ scans for browser-based crypto wallet extensions, system credentials, and digital certificates before sending the stolen information to a command and control (C2) ￰5￱ C2 server acts as a central hub for scammers to manage compromised ￰6￱ exploits ￰7￱ to steal private keys According to research by 9to5Mac , ModStealer malware disguised itself on macOS systems as a background helper program to achieve persistence, ensuring it ran automatically every time the computer ￰8￱ infected systems had a file labeled ￰9￱ and unusual connections to suspicious ￰10￱ Zhang, chief information security officer at SlowMist, a blockchain security company, revealed that ModStealer evades detection by mainstream antivirus software and poses a significant risk to the digital asset ￰11￱ added that the malware has multi-platform support and stealth execution, which differentiates it from traditional ￰12￱ Guillemet, Ledger CTO, revealed another similar attack that allowed attackers to compromise a Node Package Manager (npm) developer account in an attempt to spread malicious code, which may silently replace wallet addresses during ￰13￱ cautioned that such incidents show how vulnerable blockchain-related code libraries can be.

“The attackers’ mistakes caused crashes in CI/CD pipelines, which led to early detection and limited impact. Still, this is a clear reminder: if your funds sit in a software wallet or on an exchange, you’re one code execution away from losing ￰14￱ chain compromises remain a powerful malware delivery vector, and we’re also seeing more targeted attacks emerge.” – Charles Guillemet , Ledger CTO Zhang warned that the ModStealer malware presents a direct threat to crypto users and platforms, adding that for individual users, the compromise of private keys, seed phrases, and exchange API keys may lead to immediate ￰15￱ also noted that mass theft of browser extension wallet data could fuel large-scale on-chain exploits and weaken user trust while increasing risks across crypto supply ￰16￱ cyber exploits target crypto wallets data Guillemet discovered that the JavaScript ecosystem was compromised by a massive supply chain attack targeting libraries such as chalk, strip-ansi, color-convert, and ￰17￱ affected packages have been downloaded more than one billion times a week, which presents a severe threat to the blockchain ￰18￱ malicious software worked as a crypto-clipper, meaning it could replace wallet addresses in network requests or modify transactions initiated via MetaMask and other ￰19￱ attack was discovered via a minor CI/CD pipeline build ￰20￱ researchers later found that the malware used two ￰21￱ first strategy was passive address swapping, which monitored outgoing traffic requests and replaced wallet addresses with the hijacker’s controlled ￰22￱ used the Levenshtein distance algorithm, which selects lookalike addresses, making it visually difficult to detect ￰23￱ method the attackers utilized was active transaction hijacking, which modifies pending transactions in memory before forwarding them for user approval once a crypto wallet is ￰24￱ tricked users into signing transfers directly to the attacker’s ￰25￱ incidents have been reported on Cryptopolitan recently, where ReversingLabs’ research revealed another malware concealed on Ethereum smart ￰26￱ attack was downloaded via npm packages, including colortoolv2 and mimelib2, which acted as second-stage agents, fetching the malicious software stored on the Ethereum ￰27￱ revealed that the malicious software bypassed security scans by hiding the malicious URLs within the Ethereum smart ￰28￱ was later downloaded through fake GitHub repositories, which posed as cryptocurrency trading ￰29￱ operation was linked to Stargazer’s Ghost Network, a system of coordinated attacks that boost the legitimacy of malicious ￰30￱ you're reading this, you’re already ￰31￱ there with our newsletter .