Malware Targeting Developers Reaches 845K Packages According to Sonatype Open Source Malware Index


Malware Targeting Developers Reaches 845K Packages According to Sonatype Open Source Malware Index

 

 

 

July 8, 2025 - Sonatype ®, the end-to-end software supply chain security company, today released the Q2 2025 edition of its Open Source Malware Index , uncovering 16,279 malicious open source packages across major ecosystems including npm and PyPI. This quarter's count brings the total number of open source malware packages Sonatype has discovered to 845,204. Compared to the end of the same quarter last year, the total volume of malware logged by Sonatype has surged 188%, underscoring the growing sophistication and scale of attacks aimed at developers, software teams, and CI/CD pipelines.

"Attackers are no longer simply experimenting with open source. The numbers are telling us that threat actors have identified data as the most profitable target, and developers as the easiest way in," said Brian Fox, CTO and Co-founder of Sonatype. “Developers and security teams must be vigilant, as threats increasingly hide in plain sight within everyday tools and dependencies.”

Exfiltration at Scale: More Than Half of Attacks are After Secrets and Sensitive Data

Data exfiltration remains the most prevalent threat vector, accounting for 55% of all malicious packages discovered. In Q2 alone, more than 4,400 packages were specifically designed to steal sensitive data, including secrets, personally identifiable information (PII), passwords, access tokens, and API keys. These attacks increasingly target the critical intersection of developer tools and production environments, where a single leak can compromise entire systems.

From Theft to Sabotage: Data Corruption Malware Sees Alarming Growth

While data exfiltration holds the top spot, Sonatype analysts observed a notable uptick in malware focused on data corruption, with such threats doubling in frequency to represent over 3% of all malicious packages — more than 400 unique instances in Q2 2025. These packages aim to damage files, inject malicious code, or otherwise sabotage applications and infrastructure.

Crypto Miners Slip Slightly as Attackers Double Down on Higher-Impact Payloads

Malware built for cryptomining comprised 5% of all packages in Q2, marking a slight decline from the previous quarter. This trend may reflect a shift in attacker focus from resource exploitation to more insidious goals such as credential theft and long-term infiltration.

Open Source Malware is Operationalizing at Scale

Notably, Lazarus Group, an Advanced Persistent Threat (APT) associated with the North Korean government, was associated with 107 packages discovered by Sonatype in Q2 2025 that collectively have more than 30,050 known downloads. This demonstrates that some of the most sophisticated threat groups in the world are leveraging open source to accomplish cyber espionage, financial cybercrime, and more.

Sonatype's Open Source Malware Index draws from its proprietary behavioral and automated malware detection systems, actively monitoring and analyzing activity across ecosystems such as npm, PyPI, Maven Central, and more. The Index is part of Sonatype's ongoing commitment to equipping organizations with the most up-to-date information on open source security threats. As open source usage continues to grow globally, these insights underscore the need for proactive measures to safeguard the software supply chain.

Sonatype Repository Firewall is the industry's only solution designed to block malicious open source components and AI models before they attack developers through AI behavioral analytics and automated policy enforcement. Backed by Sonatype's industry-leading security research team, Sonatype Repository Firewall helped customers prevent 88,150 open source malware attacks in Q2 of this year, with the majority facing financial services and government organizations.

For more details and access to the latest Open Source Malware Index data, visit https://www.sonatype.com/blog/open-source-malware-index-q2-2025

 

Sonatype Repository Firewall and all other Sonatype solutions are available in Romania through Simple IT, Sonatype Partner in Romania.

 

 

About Simple IT

 

SIMPLE IT is a distributor for software solutions and hardware appliances, adding value with consulting, training, implementation, configuration and support services, backed by certified specialists, in order to offer the best IT experience to customers and partners. For more information, please visit www.simpleit.com.ro.