Microsoft Warns of Crypto-Stealing Trojan Hiding in Dev Tools

Microsoft's cybersecurity division has issued a warning about a new malware campaign that specifically targets cryptocurrency investors by hijacking widely used software development tools. Bad actors are hiding malicious code inside popular open-source packages, all in the name of stealing wallet keys and passwords — a hobby that is, regrettably, evergreen.

According to Microsoft Threat Intelligence, the attackers compromised two specific packages on npm, a sprawling public registry that developers use to build applications. Anyone who downloads these infected packages unwittingly ends up with a Remote Access Trojan (RAT) installed on their operating system. The Trojan then operates in the background, quietly recording keystrokes, taking screenshots, and scanning for stored private keys, among other unwelcome activities.

For exfiltration, the hackers are using a notably clever method: the stolen data is routed through Hugging Face, a popular platform favored by AI and machine learning developers. This allows the stolen crypto credentials to slip past basic security software, since the traffic has no suspicious-looking server attached to it — a small mercy for attackers and an unfortunate inconvenience for everyone else.

Separately, Microsoft uncovered another sophisticated threat just last week, also targeting high-performance computer users. Attackers are deploying a stealthy "cryptojacking" malware to quietly hijack a machine's processing power for secret crypto mining. This particular campaign hunts PC gamers and hardware enthusiasts who own high-end GPUs, presumably because nobody else has spare cycles to spare. The hackers rely on Search Engine Optimization (SEO) poisoning to push their fake websites to the top of search engine results — a reminder that Google is, as always, just one bad search away from a bad day.