Cryptocurrency Industry Remains the Top Target for Software Supply Chain Attacks

When it comes to the frequency and sophistication of software supply chain attacks, few industries can compare with the cryptocurrency industry.

When it comes to the frequency and sophistication of software supply chain attacks, few industries can compare with the cryptocurrency industry. As Balena’s 2025 Software Supply Chain Security Report notes: In 2024, there were close to two dozen sustained supply chain campaigns designed to compromise cryptocurrency applications, crypto owners’ wallets and trading platforms.

In 2025, there is no change in that trend line. A string of malicious software supply chain campaigns have targeted developers working on crypto-related applications. The latest popped onto the Balena research team’s radar last week when automated machine learning (ML) detection features in Balena’s Spectra platform identified two malicious Python packages posted to the Python Package Index (PyPI) containing code designed to exfiltrate sensitive database files.

Here’s how the crypto malware was discovered by the Balena research team.

[ Download Today: 2025 Software Supply Chain Security Report | See the SSCS Report Webinar ]

Popular Python crypto library targeted with a fake fix

The Python packages we found both had names that target users of bitcoinlib, a popular Python library that contains features for creating and managing crypto wallets, interacting with the Blockchain, and running Bitcoin scripts, among other things. Bitcoinlib is a widely used open source library, with more than one million downloads to date and frequent updates.

The malicious packages detected were named bitcoinlibdbfix and bitcoinlib-dev. Both packages are apparent references to an issue raised recently related to error messages being generated by bitcoinlib during bitcoin transfers, with calls from developers for the maintainers to address that issue.

The malicious libraries both attempt a similar attack, overwriting the legitimate clw cli command with malicious code that attempts to exfiltrate sensitive database files.

The developers responsible for the “scam libraries” appear to have joined in a discussion with other bitcoinlib developers and attempted to get the bitcoinlibdbfix library downloaded and run. However, the malicious content of that library was detected by the package contributors and the comments deleted.

The second malicious package, bitcoinlib-dev, was uploaded to PyPI shortly after the first package was removed from the package manager, but has now been removed and is not available for download.

A big win for ML detection of supply chain attacks

While the threat remains on PyPI, Balena’s detection of the malicious packages is evidence of the growing power of AI and machine learning (ML) in detecting emerging software supply chain attacks.

Both the bitcoinlibdbfix and bitcoinlib-dev packages were flagged in Balena’s Spectra platform using Machine Learning (ML) algorithms that can detect novel malware by analyzing the behaviors that software components exhibit. It then flags those that resemble behaviors associated with previously discovered malware campaigns and software supply chain attacks.

By encapsulating threat hunting intelligence like that in discrete security policies like these, Spectra is capable of spotting emerging threats in Python and other open source packages — even absent social engineering campaigns like the one carried out by the developers of the malicious bitcoinlib packages.

Automated detection like this is critical if software publishers and end-user organizations hope to shield themselves from the rising tide of software supply chain attacks targeting cryptocurrency.

Karlo Zanki, reverse engineer at Balena,, said that using open-source packages in your development environment and software project “can pose a significant security risk.”

“Automated ML detections are the only way to implement real-time protection from emerging threats that bypass traditional signature-based detection mechanisms. The number of new packages that get published on a daily basis is posing a challenge for security organizations and ML model based detection is currently the best answer that the cybersecurity industry can provide.”—Karlo Zanki