The growth of open source malware has continued apace in 2024, according to new research, with cyber criminals taking advantage of the proliferation of open source software.
A report from software supply chain management firm Sonatype found there was a 156% increase in malicious packages identified on open source repositories over the past year.
Sonatype has identified 778,529 malicious open source packages since it began tracking them in 2019, which it noted was an increase of 70,000 since its annual report was published in October.
Open source malware are malicious packages that disguise themselves as legitimate open source software (OSS) to infiltrate software supply chains.
The three distinct characteristics of open source malware listed in the report were their intentional insertion into open source repositories for malicious purposes, their specific targeting of developers, and ability to evade conventional detection methods.
Sonatype said this approach is able to circumvent traditional security measures and poses a unique threat to enterprises.
“This unique distribution method — compromised open source repositories — exploits gaps in dependency management tooling and development build pipelines, bypassing conventional security mechanisms in order to attack software developers directly,” the report warned.
Npm accounts for over 98% of malicious open source packages
Sonatype noted that software repositories like npm and PyPI process trillions of open source package requests each year, featuring a publishing model that is designed to ensure speed of delivery with the aim of helping foster agile development and innovation.
The unintended consequence of this model is that it makes it far easier for hackers to smuggle their malicious packages onto the platforms unnoticed.
For example, the report noted that npm, the world’s largest JavaScript package registry, was disproportionately impacted by the plague of malicious packages.
Overall, npm accounted for 98.5% of the malicious packages identified by Sonatype over the course of 2024; whereas PyPI, the official package repository for Python, represented just 1% of open source malware Sonatype detected.
RELATED WHITEPAPER
In total, Sonatype found over 540,000 malicious components hosted on npm, dwarfing the roughly 5,000 malicious assets identified on PyPI.
Sonatype said the ease of publishing on npm, which allows devs to publish packages with minimal verification, means they can “upload malicious components quickly and at scale”.
The report added that npm has been a victim of surges of spam packages in recent years.
A significant proportion of this spam looks to simply monetize a high volume of downloads using protocols like Tea.xyz, whereas others are seeking to embed malware into projects for more nefarious purposes.
Finally, the sheer scale of demand on the npm platform, which will have received an expected 4.5 trillion requests in 2024 – up 70% compared to 2023 – makes it an ideal target for threat actors looking to maximize their impact.
Speaking to ITPro, Steve Sandford, partner and head of digital forensics & incident response at CyXcel, outlined why npm is drawing the attention of cyber criminals over other popular open source repositories, and what businesses should be doing to mitigate the threat.
“The rise of open source malware is a growing concern as open source software becomes more integral to enterprise IT. NPM is a popular target due to its dominance and high download volume, with minimal verification processes allowing malicious actors to introduce compromised packages easily,” he explained.
“In contrast, PyPI has a smaller user base. As technology evolves and uses increase, the threat of malware will likely grow. To mitigate these threats, enterprises should implement automated scanning tools, maintain an updated inventory of open source components, ensure regular updates and patching, conduct security assessments, train employees, and develop an incident response plan.”
Over 15 billion unvetted shadow downloads in 2024
But the report added that it discovered a large number of malicious packages that were bypassing repository managers altogether, and were being directly downloaded onto dev machines or shared build infrastructures.
Referred to as shadow downloads, Sonatype defines this trend as open source components taken from a public repository but bypassing the artifact repository manager.
“This practice introduces unvetted and unobservable dependencies into projects, bypassing established governance, review, and security processes," Sonatype explained
“While precise numbers vary by organization, recent insights indicate a surprising percentage in production environments originated from shadow downloads, escaping security review entirely.”
Sonatype warned that shadow downloads, which saw a 15.6 billion increase in downloads between December 2023 and November 2024, undermine software supply chain vulnerabilities in several ways.
Firstly the lack of visibility of shadow downloads means they often go unnoticed, making it far more difficult to manage updates.
Secondly, they expose systems to unvetted components, increasing the likelihood of introducing malicious packages, such as those associated with dependency confusion or typosquatting, Sonatype added.
Finally, bypassing repository managers means organizations no longer have the ability to enforce policies, such as release integrity checks or vulnerability scans, on the components.
-
Security experts issue warning over the rise of 'gray bot' AI web scrapersNews While not malicious, the bots can overwhelm web applications in a way similar to bad actors
-
Does speech recognition have a future in business tech?Once a simple tool for dictation, speech recognition is being revolutionized by AI to improve customer experiences and drive inclusivity in the workforce
-
Fake file converter tools are on the rise – here’s what you need to knowNews The FBI has issued an alert over the rise of fake file converter tools available online after observing a spate of scams and ransomware attacks.
-
Forget MFA fatigue, attackers are exploiting ‘click tolerance’ to trick users into infecting themselves with malwareNews Threat actors are exploiting users’ familiarity with verification tests to trick them into loading malware onto their systems, new research has warned.
-
A ‘significant increase’ in infostealer malware attacks left 3.9 billion credentials exposed to cyber criminals last year – and experts worry this is a ticking time bomb for enterprisesNews The threat of infostealer malware is on the rise, with 4.3 million machines infected last year alone
-
Why ‘malware as a service’ is becoming a serious problemNews Researchers have issued a warning over the rise of 'malware as a service' platforms amid a surge in attacks over the last year.
-
There’s a new ransomware player on the scene: the ‘BlackLock’ group has become one of the most prolific operators in the cyber crime industry – and researchers warn it’s only going to get worse for potential victimsNews Security experts have warned the BlackLock group could become the most active ransomware operator in 2025
-
Hackers are using a new AI chatbot to wage cyber attacks: GhostGPT lets users write malicious code, create malware, and curate phishing emails – and it costs just $50 to useNews Researchers at Abnormal Security have warned about the rise of GhostGPT, a new chatbot used by cyber criminals to create malicious code and malware.
-
US authorities just purged malware from thousands of devices across the worldNews After taking control of the PlugX malware’s command-and-control server, the coalition were able to trigger a self-delete mechanism to remove the malicious program
-
The open source community relies on a loyal army of committed developers – but their security practices are putting the whole ecosystem at riskNews The security of individual developer accounts poses a serious threat to open source ecosystem, according to a new report from the Linux Foundation
