Crypto Mining Malware and Open Source Malware Packages Doubled in Q1 2025
The amount of cryptomining malware has doubled in the first quarter of 2025 relative to the quarter prior, according to a new quarterly malware report from software security platform Sonatype.
Notably, of nearly 18,000 malicious packages found in Q1 of this year, 7% were crypto mining malware. The report highlights that this is double from 3.5% that the sector had recorded in the fourth quarter of 2024. The increase shows that “resource-hijacking attacks are still prevalent in open source ecosystems,” the researchers say.
In total, from 1 January through 31 March, Sonatype found 17,954 pieces of open source malware. This is more than double compared to the first quarter of 2024. At the same time, compared to Q4 2024, this represents a decrease from over 34,000 malicious packages. “This is largely due to the marked decrease in security holdings packages,” researchers say.
The researchers describe open source software security as “a bedrock for crypto engineers and software developers,” so the doubling in malware packages between Q1 2024 and Q1 2025 is “a worrying, deteriorating trend.”
Blockchain and Crypto Mining Malware Are ‘Particularly Insidious’
Sonatype researchers discovered a number of major campaigns. Per the report, these include hijacked npm crypto packages, a counterfeit Truffle for VS Code package, and a group of packages targeting Solana developers.
The report describes a coordinated attack whereby bad actors hijacked several crypto-related npm packages and republished them with malicious payloads. They use these to steal sensitive information.
“What makes this campaign particularly insidious is the attackers’ strategic focus on packages used in cryptocurrency and blockchain development, where credentials and secrets are often highly valuable,” researchers write.
In a separate software supply chain attack, npm packages containing Windows-based trojans targeted Solana developers. They were downloaded over 1,900 times. The researchers commented that “this incident underscores the persistent threats within open source, particularly targeting the cryptocurrency development community.”
Meanwhile, Brian Fox, co-founder and CTO of Sonatype, notes that the company has seen an increase in more sophisticated types of open source malware. These innovative attacks have to be blocked before the malware enters the development environment. If it enters the repository, it’s too late.
80% of discovered packages in Q1 were made up of more sophisticated and threatening types of malware, such as droppers and code injection malware, says the report. Furthermore, the researchers found that 56% of the discovered malware (an increase from 26% in Q4 2024) was related to data exfiltration. It harvests sensitive information from infected systems.
Also, Sonatype helped block more than 20,000 open source malware attacks in Q1 2025. This included 66% at financial services companies, 14% at government organizations, and 7% in the utilities, oil, and gas sector.
“The data shows a meaningful change in how ecosystem maintainers are taking action against harmful components, but it also reflects the growing sophistication of threat actors,” Fox warned.