Some industry experts warn that the malware directly threatens users and may trigger large-scale on-chain exploits.
Mosyle security firm has discovered a malware strain capable of bypassing antivirus software detection and stealing information from crypto browser wallets. The malware spreads via fake recruiter ads online.
Major antivirus software did not detect ModStealer malware for almost a month before reporting it. It targeted developers already working with Node.js environments. ModStealer scans for browser-based crypto wallet extensions, system credentials, and digital certificates before sending the stolen information to a command and control (C2) server. The C2 server acts as a central hub for scammers to manage compromised devices.
According to research by 9to5Mac, ModStealer malware disguised itself on macOS systems as a background helper program to achieve persistence, ensuring it ran automatically every time the computer restarted. The infected systems had a file labeled sysupdater.dat and unusual connections to suspicious servers.
Shan Zhang, chief information security officer at SlowMist, a blockchain security company, revealed that ModStealer evades detection by mainstream antivirus software and poses a significant risk to the digital asset ecosystem. He added that the malware has multi-platform support and stealth execution, which differentiates it from traditional malware.
Charles Guillemet, Ledger CTO, revealed another similar attack that allowed attackers to compromise a Node Package Manager (npm) developer account in an attempt to spread malicious code, which may silently replace wallet addresses during transactions. He cautioned that such incidents show how vulnerable blockchain-related code libraries can be.
“The attackers’ mistakes caused crashes in CI/CD pipelines, which led to early detection and limited impact. Still, this is a clear reminder: if your funds sit in a software wallet or on an exchange, you’re one code execution away from losing everything. Supply chain compromises remain a powerful malware delivery vector, and we’re also seeing more targeted attacks emerge.”
-Charles Guillemet, Ledger CTO
Zhang warned that the ModStealer malware presents a direct threat to crypto users and platforms, adding that for individual users, the compromise of private keys, seed phrases, and exchange API keys may lead to immediate losses. He also noted that mass theft of browser extension wallet data could fuel large-scale on-chain exploits and weaken user trust while increasing risks across crypto supply chains.
Guillemet discovered that the JavaScript ecosystem was compromised by a massive supply chain attack targeting libraries such as chalk, strip-ansi, color-convert, and error-ex. The affected packages have been downloaded more than one billion times a week, which presents a severe threat to the blockchain ecosystem.
The malicious software worked as a crypto-clipper, meaning it could replace wallet addresses in network requests or modify transactions initiated via MetaMask and other wallets. The attack was discovered via a minor CI/CD pipeline build failure. The researchers later found that the malware used two strategies. The first strategy was passive address swapping, which monitored outgoing traffic requests and replaced wallet addresses with the hijacker’s controlled ones. It used the Levenshtein distance algorithm, which selects lookalike addresses, making it visually difficult to detect changes.
Another method the attackers utilized was active transaction hijacking, which modifies pending transactions in memory before forwarding them for user approval once a crypto wallet is detected. This tricked users into signing transfers directly to the attacker’s wallet.
Similar incidents have been reported on Cryptopolitan recently, where ReversingLabs’ research revealed another malware concealed on Ethereum smart contracts. The attack was downloaded via npm packages, including colortoolv2 and mimelib2, which acted as second-stage agents, fetching the malicious software stored on the Ethereum blockchain.
ReversingLabs revealed that the malicious software bypassed security scans by hiding the malicious URLs within the Ethereum smart contracts. It was later downloaded through fake GitHub repositories, which posed as cryptocurrency trading bots. The operation was linked to Stargazer’s Ghost Network, a system of coordinated attacks that boost the legitimacy of malicious repositories.
KEY Difference Wire helps crypto brands break through and dominate headlines fast
