Open source malware up 140 percent
The latest OS Malware Index from Sonatype shows a 140 percent surge in open source malware as attackers target data and trusted dependencies.
The index is compiled from analysis of 34,319 open source malware packages discovered by Sonatype across major open source registries including npm, PyPI, Hugging Face, and more. This quarter’s count brings the total number of malicious packages Sonatype has discovered to 877,522 since 2019.
“The era of noisy, opportunistic malware is over. Attackers are patient, organised, and increasingly using AI to embed themselves inside the very tools developers rely on,” says Brian Fox, CTO and co-founder of Sonatype. “They’re hiding malicious payloads in plain sight, turning trusted open source dependencies into delivery mechanisms for data theft and persistence. Defenders need to match that sophistication with AI-driven visibility and proactive controls that stop threats before they ever reach a developer’s environment.”
A series of attacks against open source package manager npm highlight that attackers are no longer just inserting malicious code into the ecosystem -- they’re turning the supply chain itself into a weapon.
In the third quarter data exfiltration malware accounted for 35 percent of all malicious open source packages detected, underscoring what previous quarters have shown, that there is a growing trend toward intelligence-gathering, espionage, and monetization of stolen data. Adversaries are targeting developer credentials, access tokens, and proprietary information, transforming open source ecosystems into rich hunting grounds for data-driven exploitation.
Droppers, which act as lightweight delivery mechanisms that install secondary payloads such as backdoors or info-stealers, skyrocketed in Q3, making up nearly 38 percent of all threats, while backdoor-laden packages grew 143 percent quarter-over-quarter.
By contrast cryptominers are in decline and accounted for just four percent of malicious packages in Q3, down from six percent the previous quarter. This decline reflects the commoditization of simple malware -- attackers no longer find value in easily detectable, one-dimensional exploits. Instead, they’re investing in stealth, persistence, and long-term financial return.
You can read more on the Sonatype blog.
Image credit: solarseven/depositphotos.com