Coinpaper
March 6, 2026 10:00 AM UTC

Microsoft Warns of Crypto-Stealing Malware Hidden in npm Packages

The attackers reportedly used Hugging Face repositories to exfiltrate stolen information, making the activity harder to detect. The campaign now forms part of the ongoing software supply-chain risks for developers and crypto users, particularly those storing wallet credentials, API keys, and other sensitive assets on development machines. Microsoft Exposes New Malware Campaign Microsoft warned that cybercriminals are targeting developers and cryptocurrency users through malicious software hidden inside public npm packages. According to Microsoft Threat Intelligence, two compromised npm packages, identified as utils-terminal@3.2.1 and logger-active@3.2.1, were discovered distributing a remote access trojan (RAT) capable of stealing sensitive information from infected systems. The malicious packages were reportedly designed to collect a wide range of data, including keystrokes, screenshots, cryptocurrency wallet credentials, and other confidential information. Since npm is one of the most widely used software registries for JavaScript developers, the threat has the potential to impact a large number of users who unknowingly install compromised dependencies while building applications or web services. Microsoft explained that the attackers used Hugging Face, a popular platform for artificial intelligence and machine learning projects, as part of their data exfiltration process. By routing stolen information through a trusted platform, the malicious activity may appear less suspicious than communications with traditional command-and-control servers, making detection more difficult for security teams. The threat is particularly concerning for crypto developers and investors. Developer workstations often contain browser-based crypto wallets, private keys, seed phrase backups, exchange API credentials, GitHub access tokens, and cloud service credentials. If attackers gain access to these assets, they could potentially compromise cryptocurrency holdings, development environments, trading systems, and source code repositories. Microsoft’s findings also align with a trend of attacks targeting software supply chains. In May, security researchers uncovered the TrapDoor malware campaign, which spread through dozens of malicious packages across npm, PyPI, and Rust repositories. That operation specifically targeted crypto and artificial intelligence developers by attempting to steal wallet data, cloud credentials, API keys, and SSH access. Blog post from Socket research team The latest warning also follows another recent report from Microsoft involving cryptojacking malware. In that campaign, attackers allegedly used poisoned search results and manipulated AI chatbot interactions to direct users toward fake software downloads. Once installed, the malicious programs leveraged system resources to mine cryptocurrency without the victims’ knowledge. Security experts recommend that developers carefully review newly installed packages, remove suspicious dependencies, rotate potentially exposed credentials, and monitor wallet activity for unauthorized transactions. Crypto users are also advised to avoid storing seed phrases on internet-connected devices and to thoroughly verify all wallet transactions before approving them.