Category for malicious information stealing?

I'm working on filing advisories for crates we've recently removed from crates.io. These crates were intentionally malicious and attempting to exfiltrate information, including cryptocurrency private keys and API tokens. Should there be a category (or categories) for this?