What is a supply chain attack in crypto?
A supply chain attack in the crypto domain is a cyberattack where hackers target third-party components, services or software that a project relies on instead of attacking the project itself. These components may include libraries, application programming interfaces (APIs) or tools used in decentralized applications (DApps), exchanges or blockchain systems.
By compromising these external dependencies, attackers can insert harmful code or gain unauthorized access to critical systems. For instance, they might alter a widely used open-source library in DeFi platforms to steal private keys or redirect funds after it is implemented.
The dependence of the crypto ecosystem on open-source software and third-party integrations makes it highly susceptible to such attacks. Such attacks in crypto exploit weak entry points such as compromised Node Package Manager (NPM) or GitHub dependencies, where attackers inject malicious code into widely used libraries.
Hardware wallets or SDKs can also be tampered with during manufacturing or updates, exposing private keys. Moreover, attackers may breach third-party custodians or oracles, manipulating data feeds or wallet access to steal funds or disrupt smart contracts across decentralized finance (DeFi) platforms.
Did you know? Some attackers host clean code on GitHub but publish malicious versions to PyPI or npm. Developers trusting the GitHub repo may never suspect that what they are installing is different and risky.
How supply chain attacks work in crypto
Supply chain attacks in cryptocurrency are complex cyberattacks that exploit vulnerabilities in a project’s external dependencies.
Here is how these attacks typically occur:
- Targeting a component: Attackers identify a widely used third-party component, such as an open-source library, smart contract dependency or wallet software, that many crypto projects depend on.
- Compromising the component: They tamper with the component by inserting malicious code or altering its functionality. This might involve hacking a GitHub repository, distributing a fake software package, or modifying a hardware wallet.
- Unknowing adoption: Crypto developers or platforms integrate the compromised component into their systems without realizing it has been altered. Since many projects rely on automated processes and trusted sources, the attack spreads undetected.
- Exploitation in use: Once the component is active in a live application, it may perform harmful actions, such as stealing private keys, redirecting funds or manipulating data, when users interact with the application or protocol.
- Broad impact: The attack can affect numerous users and platforms if the compromised component is widely used, amplifying its reach before it is detected.
- Detection and response: The breach is often discovered only after significant damage, like stealing of funds, has occurred. Direct response to attackers and recovering lost crypto become hard because of the anonymous and irreversible nature of blockchain transactions.
Did you know? Many supply chain attackers use Telegram bots to receive stolen data like seed phrases or API keys. It is stealthy, quick and hard to trace, one reason why Telegram keeps showing up in crypto hack reports.
Malicious supply chain attacks targeting crypto projects
In 2024, attackers increasingly used open-source software (OSS) repositories to launch supply chain attacks aimed at cryptocurrency data and assets. Their goal was to trick developers into downloading harmful packages.
According to Reversing Labs’ “2025 Software Supply Chain Security Report,” OSS platforms used for attacks included npm and PyPI. Here are the associated details:
- Targeted repositories: Attackers uploaded malicious code to two widely used OSS platforms, npm and Python Package Index (PyPI).
- Campaign count: ReversingLabs (RL) reported 23 crypto-related campaigns in total.
- npm focus: Out of the campaigns launched, 14 were on npm, making it the most targeted.
- PyPI Cases: The remaining nine campaigns occurred on PyPI.
There are varying levels of sophistication in attacks. Campaigns could range from basic, well-known methods to more advanced, stealthy approaches. Typosquatting is a common technique used in supply chain attacks where malicious packages closely mimic legitimate ones.
Examples of supply chain attacks in crypto
This section examines four real-world instances of supply chain attacks in crypto, revealing attacker methods and crucial lessons for enhancing security:
Bitcoinlib attack
In April 2025, hackers targeted the Bitcoinlib Python library by uploading malicious packages, “bitcoinlibdbfix” and “bitcoinlib-dev,” to PyPI, posing as legitimate updates. These packages included malware that replaced the command-line tool “clw” with a version that stole private keys and wallet addresses.
Once installed, the malware sent sensitive data to attackers, enabling them to empty victims’ wallets. Security researchers detected the threat using machine learning, preventing further harm. This incident emphasizes the dangers of typosquatting attacks in open-source platforms and the need to verify package authenticity before installation.
Aiocpa long-term exploit
The “aiocpa” exploit was a complex supply chain attack targeting cryptocurrency developers through the Python Package Index (PyPI). Launched in September 2024 as a legitimate Crypto Pay API client, the package gained trust over time. In November, version 0.1.13 introduced hidden code that stole sensitive information, such as API tokens and private keys, sending it to a Telegram bot.
The malicious code was not present in the GitHub repository, bypassing typical code reviews before it was detected by machine learning tools, leading to the quarantining of the package. This incident highlights the need for careful dependency management and advanced threat detection in open-source platforms.
The @solana/web3.js supply chain attack
In one of the most notorious supply chain attacks in 2024, malicious actors compromised the @solana/web3.js package, a widely used JavaScript API for interacting with the Solana blockchain. Attackers injected harmful code into versions 1.95.6 and 1.95.7, aiming to steal sensitive user information.
The package, with over 3,000 dependent projects and 400,000 weekly downloads, was an ideal target due to its widespread use. This incident demonstrated how even trusted, high-profile packages can become attack vectors, posing significant risks to developers and users across the crypto ecosystem.
DNS hijack of Curve Finance
In 2023, Curve Finance suffered a DNS hijack through its domain registrar. Attackers compromised the registrar account and altered the DNS records, redirecting users from Curve’s official website to a malicious clone site. While the backend smart contracts remained secure, users who accessed the spoofed frontend unknowingly approved transactions that drained their wallets.
This incident highlighted a major vulnerability in DeFi: Although blockchain infrastructure is secure, reliance on centralized web services like DNS creates weak points ripe for exploitation.
Did you know? In a supply chain trick called dependency confusion, attackers upload fake internal packages to public registries. If a developer’s system installs the wrong version, attackers gain a backdoor to their crypto apps.
How supply chain projects impact crypto projects
Supply chain attacks can lead to significant losses to crypto projects through stolen funds, compromised user data and reputational damage. They undermine trust in decentralized systems.
- Loss of funds and assets: Attackers may insert malicious code to steal private keys, redirect transactions, or exploit weaknesses in wallets, causing direct financial losses for users and platforms.
- Reputation damage: A single compromised element can undermine trust. Projects perceived as unsafe may lose users, investors and partners, significantly harming growth and credibility.
- Legal and regulatory issues: Security breaches often draw regulatory attention, particularly when user funds are affected. This can lead to legal consequences, compliance audits or forced platform closures.
- Service disruptions: Attacks can cause significant technical issues, requiring platforms to pause operations, revert code, or issue urgent fixes, which slows down development and operations.
- Broader ecosystem impact: If a widely used component (e.g., npm libraries or APIs) is compromised, the attack can spread across multiple projects, increasing damage throughout the cryptocurrency ecosystem.
How to prevent supply chain attacks in crypto
Supply chain attacks in cryptocurrency often target trusted components like libraries, APIs and infrastructure tools in subtle ways. Due to their indirect nature, preventing these attacks requires proactive measures throughout a project’s development and operations.
Below are key practices to protect against such risks:
- Code and dependency management: Crypto developers should use dependencies only from trusted, verified sources. Locking package versions and checking file integrity with checksums can prevent unauthorized changes. Regularly reviewing dependencies, especially those accessing sensitive functions, is essential. Removing unused or outdated packages significantly reduces risks.
- Infrastructure security: Secure CI/CD pipelines with strict access controls and multifactor authentication. CI/CD stands for Continuous Integration and Continuous Deployment (or Continuous Delivery). It’s a set of software development practices that help teams deliver code changes more frequently and reliably. Use code signing to confirm software build authenticity. Monitor DNS settings, registrar accounts and hosting services to detect tampering early. Employ isolated build environments to separate external code from critical systems.
- Vendor and third-party risk management: Evaluate the security practices of all external partners, such as custodians, oracles and service providers. Collaborate only with vendors who provide transparency, disclose vulnerabilities, and hold security certifications. Have backup plans ready if a vendor is compromised.
- Community and governance vigilance: Build a security-conscious developer community by encouraging peer reviews and bounty programs. Promote open-source contributions but maintain transparent governance. Educate all stakeholders about new attack methods and response procedures.

 
			

 
                                     
                                    