.png){kind=logo}
Microsoft Threat Intelligence has warned that attackers are targeting cryptocurrency investors by hiding malware inside public npm open-source packages used by developers to build applications.
The campaign centers on two compromised npm packages, according to Microsoft’s cybersecurity division. npm serves as a major public registry for developers who rely on open-source tools.
Once a user or developer downloads the infected packages, the malware deploys a remote access Trojan on the victim’s operating system. The Trojan then runs quietly in the background. It can monitor the device, record keystrokes, take screenshots, and scan for stored private keys.
Attackers use the malware to steal wallet keys, passwords, and other sensitive data linked to cryptocurrency accounts.
Microsoft said the attackers used Hugging Face to route stolen data from infected devices. Hugging Face is widely used by artificial intelligence and machine learning developers, which makes the data route look less suspicious.
As a result, stolen crypto credentials can slip past basic security tools since the traffic does not point to an obviously malicious server. This method also shows how attackers now blend crypto theft with tools from the broader AI development ecosystem.
Related reports show that software supply-chain attacks remain active across the crypto sector.
On May 25, a TrapDoor malware campaign spread through more than 34 malicious packages across npm, PyPI, and Rust ecosystems. That campaign targeted crypto and AI developers through fake tools that stole wallet data, API keys, cloud credentials, and SSH access.
In March, Slow Fog also warned developers about malicious Axios releases that pulled in plain-crypto-js malware.
Those poisoned versions exposed crypto developers to cross-platform RATs and stolen credentials through npm.
Read More: Microsoft Build 2026: AI Models, Scout Agent, Solara Platform Unveiled
The npm warning follows another Microsoft malware report from May 26. In that case, attackers used poisoned search results and some AI chatbot interactions to spread fake PC utility downloads.
Those downloads installed GPU mining malware that secretly used a victim’s computer power to mine crypto. The campaign targeted users with powerful graphics cards, including PC gamers and hardware enthusiasts.
Attackers relied on SEO poisoning to push fake websites higher in search engine results. Microsoft said the malware abused ScreenConnect, Microsoft .NET utilities, and fake downloads for tools such as CrystalDiskInfo and HWMonitor.
The threat focused on high-performance computers as stronger GPUs can produce higher crypto-mining output. Microsoft’s latest warning urges developers to perform basic security checks after installing any suspicious package.
Developers should audit recent dependencies, remove suspicious packages, rotate exposed credentials, and review wallet activity. Crypto users should avoid storing seed phrases on connected devices and verify every wallet transaction before signing.
Microsoft’s warning shows how attackers are using compromised npm packages to target crypto investors and developers. The campaign can steal wallet keys, passwords, and private data while routing stolen information through Hugging Face. Developers should audit dependencies, rotate exposed credentials, and avoid storing seed phrases on connected devices.
