Crypto Mining Malware and Open Source Malware Packages Doubled in Q1 2025

Journalist

Sead Fadilpašić

Journalist

Sead Fadilpašić

About Author

Sead specializes in writing factual and informative articles to help the public navigate the ever-changing world of crypto. He has extensive experience in the blockchain industry, where he has served…

Share

Last updated:

April 2, 2025 11:41 EDT

Why Trust Cryptonews

Cryptonews has covered the cryptocurrency industry topics since 2017, aiming to provide informative insights to our readers. Our journalists and analysts have extensive experience in market analysis and blockchain technologies. We strive to maintain high editorial standards, focusing on factual accuracy and balanced reporting across all areas – from cryptocurrencies and blockchain projects to industry events, products, and technological developments. Our ongoing presence in the industry reflects our commitment to delivering relevant information in the evolving world of digital assets. Read more about Cryptonews

The amount of crypto mining malware has doubled in the first quarter of 2025 relative to the quarter prior, according to a new quarterly malware report from software security platform Sonatype.

Notably, of nearly 18,000 malicious packages found in Q1 of this year, 7% were crypto mining malware.

The report highlights that this is double from 3.5% that the sector had recorded in the fourth quarter of 2024.

The increase shows that “resource-hijacking attacks are still prevalent in open source ecosystems,” the researchers say.

In total, from 1 January through 31 March, Sonatype found 17,954 pieces of open source malware. This is more than double compared to the first quarter of 2024.

At the same time, compared to Q4 2024, this represents a decrease from over 34,000 malicious packages. “This is largely due to the marked decrease in security holdings packages,” researchers say.

The researchers describe open source software security as “a bedrock for crypto engineers and software developers,” so the doubling in malware packages between Q1 2024 and Q1 2025 is “a worrying, deteriorating trend.”

Blockchain and Crypto Mining Malware Are ‘Particularly Insidious’

Sonatype researchers discovered a number of major campaigns. Per the report, these include hijacked npm crypto packages, a counterfeit Truffle for VS Code package, and a group of packages targeting Solana developers.

The report describes a coordinated attack whereby bad actors hijacked several crypto-related npm packages and republished them with malicious payloads. They use these to steal sensitive information.

“What makes this campaign particularly insidious is the attackers’ strategic focus on packages used in cryptocurrency and blockchain development, where credentials and secrets are often highly valuable,” researchers write.

In a separate software supply chain attack, npm packages containing Windows-based trojans targeted Solana developers. They were downloaded over 1,900 times.

The researchers commented that “this incident underscores the persistent threats within open source, particularly targeting the cryptocurrency development community.”

Meanwhile, Brian Fox, co-founder and CTO of Sonatype, notes that the company has seen an increase in more sophisticated types of open source malware. These innovative attacks have to be blocked before the malware enters the development environment. If it enters the repository, it’s too late.

80% of discovered packages in Q1 were made up of more sophisticated and threatening types of malware, such as droppers and code injection malware, says the report.

Furthermore, the researchers found that 56% of the discovered malware (an increase from 26% in Q4 2024) was related to data exfiltration. It harvests sensitive information from infected systems.

Also, Sonatype helped block more than 20,000 open source malware attacks in Q1 2025. This included 66% at financial services companies, 14% at government organizations, and 7% in the utilities, oil, and gas sector.

“The data shows a meaningful change in how ecosystem maintainers are taking action against harmful components, but it also reflects the growing sophistication of threat actors,” Fox warned.

Trending News
RecommendedPopular Crypto TopicsPrice Predictions

Explore new destinations with ease using the Garmin Drive 52 GPS Navigator! With over 17,988 ratings and a solid 4.4/5-star rating, this GPS system has been a top choice for travelers. Over 500+ units were bought in the past month, all for only $144.99.

This 5″ GPS navigator comes with essential driver alerts, real-time travel data, and external memory storage. The simple on-screen menus and bright, easy-to-see maps make it easy to navigate wherever you are. Plus, it’s road trip-ready with The HISTORY Channel database, featuring notable historic sites and much more to enhance your journey.

Don’t miss out—get your hands on the Garmin Drive 52 today for a smoother ride ahead! Buy Now for $144.99 on Amazon!

Help Power Techcratic’s Future – Scan To Support

If Techcratic’s content and insights have helped you, consider giving back by supporting the platform with crypto. Every contribution makes a difference, whether it’s for high-quality content, server maintenance, or future updates. Techcratic is constantly evolving, and your support helps drive that progress.

As a solo operator who wears all the hats, creating content, managing the tech, and running the site, your support allows me to stay focused on delivering valuable resources. Your support keeps everything running smoothly and enables me to continue creating the content you love. I’m deeply grateful for your support, it truly means the world to me! Thank you!