NewsNukem
vulnerabilities

Researchers say more than 454,000 malicious open source packages were found in 2025

March 22, 20262 min read2 sources
Share:
Researchers say more than 454,000 malicious open source packages were found in 2025

Sonatype says it has identified more than 454,000 malicious open source packages since 2019, a surge the company describes as evidence that open source malware has become industrialized rather than opportunistic. The packages were found across major ecosystems used by developers and enterprises, including npm, PyPI, Maven Central, and NuGet.

According to Sonatype, attackers are increasingly using automation to publish lookalike packages, poison dependency chains, and push malicious updates at scale. Common tactics include typosquatting, dependency confusion, and abuse of install-time scripts to steal credentials, exfiltrate secrets, or fetch second-stage malware. The report does not point to a single CVE; instead, it tracks a broad supply-chain threat trend across public package registries.

The scale matters because these repositories sit directly in software build pipelines. A malicious package can reach developer workstations, CI/CD systems, and production applications through routine dependency installs. If tokens or cloud credentials are exposed, the damage can extend well beyond a single machine to source code theft, account takeover, and downstream compromise of customers.

Sonatype argues that public registries should now be treated as hostile-by-default sources, with organizations enforcing tighter controls over what dependencies can be pulled into builds. Recommended defenses include allowlisting approved packages, pinning versions, using private mirrors or proxy registries, scanning dependencies for malware, and limiting automatic script execution during installs. For remote developers working across public networks, basic protections such as a VPN may help reduce exposure, but they do not address the core software supply-chain risk.

The findings add to a multi-year rise in open source package abuse, but this figure suggests attackers are now operating with assembly-line efficiency. For defenders, the message is straightforward: package trust can no longer be assumed, even when software comes from widely used public registries.

$ vpn --status: UNPROTECTED

Your connection is exposed.

Encrypt your traffic with hide.me VPN — trusted by security professionals.

Get Protected →

sponsored

Share:

// SOURCES

// RELATED

Three Microsoft Defender zero-days actively exploited; two still unpatched
vulnerabilities

Three Microsoft Defender zero-days actively exploited; two still unpatched

Security firm Huntress warns of active exploitation of three Microsoft Defender zero-days, codenamed BlueHammer, RedSun, and UnDefend. Two remain unpa

6 min readApr 18
London healthcare faces months of disruption after ransomware attack on key supplier
vulnerabilities

London healthcare faces months of disruption after ransomware attack on key supplier

A major ransomware attack on pathology provider Synnovis has caused severe, ongoing disruption to London hospitals, highlighting critical supply chain

6 min readApr 18
Most 'AI SOCs' are just faster triage, and that's not enough
vulnerabilities

Most 'AI SOCs' are just faster triage, and that's not enough

Many AI security tools only speed up alert analysis, failing to reduce analyst workload. Experts argue real gains require AI that automates response a

2 min readApr 17
ZionSiphon malware designed to sabotage water treatment systems
vulnerabilities

ZionSiphon malware designed to sabotage water treatment systems

A new proof-of-concept malware, ZionSiphon, demonstrates how attackers can sabotage water treatment plants by manipulating industrial control systems.

2 min readApr 17