The growth of open source malware has continued apace in 2024, according to new research, with cyber criminals taking advantage of the proliferation of open source software.
A report from software supply chain management firm Sonatype found there was a 156% increase in malicious packages identified on open source repositories over the past year.
Sonatype has identified 778,529 malicious open source packages since it began tracking them in 2019, which it noted was an increase of 70,000 since its annual report was published in October.
Open source malware are malicious packages that disguise themselves as legitimate open source software (OSS) to infiltrate software supply chains.
The three distinct characteristics of open source malware listed in the report were their intentional insertion into open source repositories for malicious purposes, their specific targeting of developers, and ability to evade conventional detection methods.
Sonatype said this approach is able to circumvent traditional security measures and poses a unique threat to enterprises.
“This unique distribution method — compromised open source repositories — exploits gaps in dependency management tooling and development build pipelines, bypassing conventional security mechanisms in order to attack software developers directly,” the report warned.
Npm accounts for over 98% of malicious open source packages
Sonatype noted that software repositories like npm and PyPI process trillions of open source package requests each year, featuring a publishing model that is designed to ensure speed of delivery with the aim of helping foster agile development and innovation.
The unintended consequence of this model is that it makes it far easier for hackers to smuggle their malicious packages onto the platforms unnoticed.
For example, the report noted that npm, the world’s largest JavaScript package registry, was disproportionately impacted by the plague of malicious packages.
Overall, npm accounted for 98.5% of the malicious packages identified by Sonatype over the course of 2024; whereas PyPI, the official package repository for Python, represented just 1% of open source malware Sonatype detected.
In total, Sonatype found over 540,000 malicious components hosted on npm, dwarfing the roughly 5,000 malicious assets identified on PyPI.
Sonatype said the ease of publishing on npm, which allows devs to publish packages with minimal verification, means they can “upload malicious components quickly and at scale”.
The report added that npm has been a victim of surges of spam packages in recent years.
A significant proportion of this spam looks to simply monetize a high volume of downloads using protocols like Tea.xyz, whereas others are seeking to embed malware into projects for more nefarious purposes.
Finally, the sheer scale of demand on the npm platform, which will have received an expected 4.5 trillion requests in 2024 – up 70% compared to 2023 – makes it an ideal target for threat actors looking to maximize their impact.
Speaking to ITPro, Steve Sandford, partner and head of digital forensics & incident response at CyXcel, outlined why npm is drawing the attention of cyber criminals over other popular open source repositories, and what businesses should be doing to mitigate the threat.
“The rise of open source malware is a growing concern as open source software becomes more integral to enterprise IT. NPM is a popular target due to its dominance and high download volume, with minimal verification processes allowing malicious actors to introduce compromised packages easily,” he explained.
“In contrast, PyPI has a smaller user base. As technology evolves and uses increase, the threat of malware will likely grow. To mitigate these threats, enterprises should implement automated scanning tools, maintain an updated inventory of open source components, ensure regular updates and patching, conduct security assessments, train employees, and develop an incident response plan.”
Over 15 billion unvetted shadow downloads in 2024
But the report added that it discovered a large number of malicious packages that were bypassing repository managers altogether, and were being directly downloaded onto dev machines or shared build infrastructures.
Referred to as shadow downloads, Sonatype defines this trend as open source components taken from a public repository but bypassing the artifact repository manager.
“This practice introduces unvetted and unobservable dependencies into projects, bypassing established governance, review, and security processes," Sonatype explained
“While precise numbers vary by organization, recent insights indicate a surprising percentage in production environments originated from shadow downloads, escaping security review entirely.”
Sonatype warned that shadow downloads, which saw a 15.6 billion increase in downloads between December 2023 and November 2024, undermine software supply chain vulnerabilities in several ways.
Firstly the lack of visibility of shadow downloads means they often go unnoticed, making it far more difficult to manage updates.
Secondly, they expose systems to unvetted components, increasing the likelihood of introducing malicious packages, such as those associated with dependency confusion or typosquatting, Sonatype added.
Finally, bypassing repository managers means organizations no longer have the ability to enforce policies, such as release integrity checks or vulnerability scans, on the components.
