The scale and sophistication of attacks targeting developers, software teams and CI/CD pipelines continued to grow in Q2 2025, with Sonatype reporting a 188% annual increase in malicious open source packages.
The security vendor monitors activity across ecosystems such as npm, PyPI and Maven Central, in order to better understand open source threat levels.
Its latest Open Source Malware Index revealed a total of 16,279 malicious open source packages across the biggest such ecosystems. It brings the total number the vendor has discovered since starting this analysis in 2017 to 845,204.
“Attackers are no longer simply experimenting with open source. The numbers are telling us that threat actors have identified data as the most profitable target, and developers as the easiest way in,” said Brian Fox, CTO and co-founder of Sonatype.
“Developers and security teams must be vigilant, as threats increasingly hide in plain sight within everyday tools and dependencies.”
Read more on open source threats: Majority of Critical Open Source Projects Contain Memory Unsafe Code
Data exfiltration accounted for the majority (55%) of malicious packages discovered in Q2 2025, with attackers targeting secrets, personally identifiable information (PII), passwords, access tokens and API keys.
Sonatype also reported a doubling of data corruption malware, having discovered 400 such instances in the quarter. This threat is typically designed to damage files, inject malicious code, and sabotage applications and infrastructure in other ways.
Malware designed for cryptomining comprised 5% of all packages in Q2, representing a slight decline from the previous quarter.
One single threat actor, North Korea’s notorious Lazarus Group, was linked to 107 malicious packages downloaded more than 30,000 times, according to Sonatype. This highlights the growing focus by threat groups on the open source ecosystem as a useful way to accomplish cyber-espionage and financial crime, the vendor claimed.
Sonatype reported a 156% increase in open source malware last year – although the numbers it is finding are small in comparison to the more-than six trillion package downloads from the main platforms during the period.
No tags.
