Crypto malware attacks: 23 supply chain incidents set off alarms

Bank robbers, it has long been said, rob banks because that’s where the money is. Increasingly for cybercriminals and nation-state threat actors, the infrastructure and applications supporting cryptocurrency are where the money is. And indeed, the global cryptocurrency market cap as of March 24 stood at $2.99 trillion, according to Forbes.

Last year, several crypto-motivated attacks on the software supply chain were carried out using open-source software (OSS) repositories. Attackers posted malicious packages designed to target cryptocurrency data and assets with the hope that unsuspecting developers would download them. These incidents ranged from straightforward attack playbooks that security teams already know well to new high-touch techniques that demonstrate the growing sophistication of these attacks.

Here are the major supply chain attacks targeting cryptocurrency in 2024, as spotlighted in ReversingLabs' annual report on the state of software supply chain security.

Download: 2025 Software Supply Chain Security ReportSee the SSCS Report Webinar

PyPI and npm serve up malicious crypto campaigns

RL’s annual report counted 23 crypto-related campaigns that involved malicious code being uploaded to the Python Package Index (PyPI) and npm, two popular OSS repositories. Most of the malicious crypto-related campaigns were on npm, which accounted for 14 out of the 23 total campaigns documented by RL and other security research teams in 2024. The remaining nine campaigns were found on PyPI.

These 23 attacks demonstrated a range of sophistication levels, which highlights the growing diversity in how crypto-related supply chain attacks are carried out.

Most of the attacks on both npm and PyPI were standard fare for attacks on OSS. For example, a malicious campaign discovered by RL that targeted developers working on projects related to generating and securing cryptocurrency wallets, dubbed BIPClip, employed typosquatting, a very common attack technique, to fool victims into adding compromised file dependencies that can enable the theft of cryptocurrency from users’ wallets.

However, some of the crypto-related malicious campaigns analyzed in RL’s annual report employed more sophisticated techniques. For instance, in November 2024, RL researchers detected malicious code in a legitimate-looking Python package, aiocpa. What turned the heads of researchers was that the package had been originally engineered as a legitimate crypto client, only to have a subsequent malicious-version update compromise cryptocurrency wallets using the client. Researchers believe that attackers played a long game with this campaign, establishing a sense of legitimacy to draw in a consistent user base that would later become victim to malicious code.

Also, in one of the most impactful incidents targeting crypto supply chains in 2024, unknown malicious actors compromised the npm package @solana/web3.js, a JavaScript API for use with the Solana blockchain platform. This package ranks among the top 10,000 projects in the npm community, with more than 3,000 dependent projects generating 400,000 weekly downloads. In this malicious campaign, attackers implanted malicious functions in two versions of @solana/web3.js that were intended to steal sensitive information from victims.

RL researchers used ReversingLabs Spectra Assure’s differential analysis capability to compare the malicious versions 1.95.6 and 1.95.7 of @solana/web3.js to safe versions of the package. That analysis unearthed new file content in both versions 1.95.6 and .7 that contained URLs pointing to suspicious top-level domains.

What crypto developers need to watch out for

The 23 incidents analyzed in the 2025 Software Supply Chain Security Report should serve as a wakeup call for developers and application security teams responsible for deploying and managing cryptocurrency-related infrastructure and applications. The various kinds of techniques now being used by threat actors to drain crypto wallets and compromise crypto-based software supply chains demonstrate attackers’ ability to become more sophisticated in an effort to reap greater gains.

Because 2024 served up several examples of threat actors going beyond typosquatting to pull off these financially motivated attacks, it’s more important than ever for security teams to practice robust software supply chain security.

Get the 2025 Software Supply Chain Security Report to learn more about the state of software security.