The first quarter of 2025 has seen a doubling in the amount of crypto mining malware compared to the previous quarter, according to the latest quarterly malware report from Sonatype, a software security platform. Out of nearly 18,000 malicious packages identified in Q1 of this year, 7% were related to crypto mining malware. This marks a significant increase from the 3.5% recorded in the fourth quarter of 2024.
The report highlights the prevalence of resource-hijacking attacks in open source ecosystems, emphasizing the need for heightened security measures. In total, Sonatype discovered 17,954 pieces of open source malware between January and March, more than double the amount found in the first quarter of 2024. However, this number represents a decrease from the over 34,000 malicious packages identified in Q4 2024, primarily due to a decrease in security holdings packages.
The researchers at Sonatype describe open source software security as crucial for crypto engineers and software developers. The doubling in malware packages between Q1 2024 and Q1 2025 signifies a concerning trend in deteriorating security within open source ecosystems.
One of the major findings in the report was the discovery of several coordinated attacks targeting cryptocurrency and blockchain developers. These attacks included hijacked npm crypto packages, a counterfeit Truffle for VS Code package, and a group of packages specifically targeting Solana developers. The attackers republished these packages with malicious payloads to steal sensitive information, highlighting the strategic focus on cryptocurrency and blockchain development where credentials and secrets are highly valuable.
Brian Fox, co-founder and CTO of Sonatype, noted the increase in sophisticated types of open source malware that must be intercepted before entering the development environment. The report found that 80% of discovered packages in Q1 consisted of more advanced and threatening types of malware such as droppers and code injection malware.
Additionally, data exfiltration attacks, which harvest sensitive information from infected systems, accounted for 56% of the discovered malware in Q1 2025, up from 26% in Q4 2024. Sonatype assisted in blocking over 20,000 open source malware attacks in the first quarter of 2025, with a significant percentage targeting financial services companies, government organizations, and the utilities, oil, and gas sector.
The evolving sophistication of threat actors underscores the importance of proactive security measures to safeguard against open source malware. As the threat landscape continues to evolve, organizations must remain vigilant in protecting their software ecosystems from malicious attacks.