Developers face a torrent of malware threats as malicious open source packages surge 188%

Neptune RAT malware concept image showing a skull and crossbones in binary code against a red colored backdrop.

(Image credit: Getty Images)

published 8 July 2025

The number of open source malware packages is rising fast, and security researchers are warning software developers to remain vigilant.

Software supply chain security firm Sonatype reports that it uncovered 16,279 malicious open source packages across major ecosystems, including npm and PyPI, over the last quarter.

Overall, the total volume of malware logged by the firm has surged by 188% compared with the same quarter last year.

"Attackers are no longer simply experimenting with open source. The numbers are telling us that threat actors have identified data as the most profitable target, and developers as the easiest way in," said Brian Fox, CTO and co-founder of Sonatype.

“Developers and security teams must be vigilant, as threats increasingly hide in plain sight within everyday tools and dependencies.”

The main threat vector was data exfiltration, accounting for 55% of all malicious packages discovered. In the second quarter alone, Sonatype found more than 4,400 packages were specifically designed to steal sensitive data, including secrets, personally identifiable information (PII), passwords, access tokens, and API keys.

There was also a big rise in malware focused on data corruption, which now accounts for 3% of all malicious packages, twice as many as last year.

Meanwhile, cryptomining malware accounted for 5% of all packages in the second quarter, slightly down from the previous quarter. Sonatype attributed this to a shift among attackers from resource exploitation to credential theft and long-term infiltration.

Many of the packages used advanced techniques for exfiltrating sensitive data, including exfiltrating .git-credentials, AWS secrets, and environment variables; targeting developer systems to harvest credentials used in CI/CD pipelines; and using time-delayed payloads and encrypted transmissions to avoid detection.

"We continue to see a large volume of malware targeting environment variables, config files, and other common places used by CI/CD tools and cloud services to store sensitive information," said Sonatype principal security researcher Garrett Calpouzos.

"Once attackers collect these credentials, they can attempt unauthorized access to cloud accounts, APIs, databases, and internal systems, opening the door to broader compromise and exploitation."

Open source ecosystem threats are growing

The notorious Lazarus Group, an Advanced Persistent Threat (APT) associated with the North Korean regime, was behind 107 packages, accounting for more than 30,050 known downloads.

Earlier this year, SecurityScorecard revealed that the group's latest campaign, dubbed Operation Marstech Mayhem, was based on an advanced implant named Marstech1 and designed to compromise software developers and cryptocurrency wallets through manipulated open source repositories.

By embedding its malware inside NPM packages, researchers said it made it almost impossible for developers to detect without thorough vetting.

Similarly, Fortinet warned last year it had identified thousands of malicious packages distributed across open source repositories.

The packages included lightweight code designed to evade detection, scripts that execute malware upon installation and packages lacking repository URLs, making them harder to trace.

Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.

MORE FROM ITPRO

Emma Woollacott is a freelance journalist writing for publications including the BBC, Private Eye, Forbes, Raconteur and specialist technology titles.