Threat actors are targeting users of PayPal and cryptocurrency wallets by publishing malicious NPM packages designed to steal sensitive information and funds.

These malicious packages often use deceptive names related to PayPal, such as oauth2-paypal and buttonfactoryserv-paypal, to trick developers into installing them.

Fortinet has identified that several of these information-stealing packages were likely created in early March by the threat actors known as tommyboy_h1 and tommyboy_h2.

Among the targeted applications are popular cryptocurrency wallets like Atomic Wallet and Exodus, which have been compromised by a malicious package named pdf-to-office.

This particular package pretends to be a library for converting PDF files to Microsoft Office documents but actually overwrites local files with malicious versions that redirect outgoing funds to the attacker's crypto addresses.

The malicious code within these packages has been observed sending ZIP archives to remote servers, indicating a potential for information harvesting from infected systems.

A preinstall hook in these malicious packages executes harmful scripts before installation, which harvest system data and sensitive information like usernames and passwords, sending it to a remote server.

ReversingLabs warns that users affected by these attacks must completely uninstall and reinstall their compromised wallet applications to prevent ongoing fund diversion to the attackers.

In light of these threats, Fortinet advises users to exercise caution with unusual NPM packages that have names related to PayPal and to monitor network logs for unexpected connections to unknown servers.