Malicious open source software packages have become a critical problem threatening the software supply chain.
That’s one of the major takeaways of a new report titled “State of the Software Supply Chain” by open source software security company Sonatype.
Sonatype said its researchers identified more than 454,600 new malicious packages last year across npm, PyPI, Maven Central, NuGet, and Hugging Face, repositories which together combined for 9.8 trillion downloads.
Open source malware has evolved “from spam and stunts into sustained, industrialized campaigns against the people and tooling that build software,” the researchers said.
“What stands out most about 2025 is not just the scale of the threat, but also the sophistication,” the report said. “Where 2024’s XZ Utils incident was groundbreaking, demonstrating how a single compromised maintainer could imperil global infrastructure, 2025 saw software supply chain risk evolve dramatically.”
npm Leads in Malicious Open Source Software Packages
More than 99% of open source malware last year occurred on npm, the researchers said, and the kinds of threats evolved dramatically.
Nation-state threat groups such as the Lazarus Group “advanced from simple droppers and crypto miners to five-stage payload chains that combined droppers, credential theft, and persistent remote access inside developer environments,” the report said, and the first self-replicating npm malware (Shai-Hulud and Sha1-Hulud) further escalated the threat to the open source software supply chain.
IndonesianFoods created more than 150,000 malicious packages in a matter of days, and hijackings of major packages like chalk and debug showed that “established maintainers of high-profile packages are being targeted as entry points for mass distribution.”
“Taken together, these developments mark 2025 as a grim year for open source malware: the moment when isolated incidents became an integrated campaign, and bad actors proved software supply chain attacks are now their most reliable weapon,” the researchers said.
Open Source Malware Exploits Developer Processes
Open source malware exploits the pressures developers face and the rapid decision-making involved in CI/CD pipelines.
“Software supply chain attackers are perfecting social and technical mimicry to target and exploit developers making development decisions fast and with incomplete information,” the researchers said. “Attackers increasingly rely less on individual mistakes and more on scale, momentum, and volume. They know developers under deadline pressure are unlikely to pay detailed attention on every dependency. If a package ‘looks right’ with mostly comprehensible code, a legitimate seeming README.MD, and a reasonable amount of downloads, it is likely to get installed.”
The number of open source package vulnerabilities adds to the problem. In 2025, npm recorded 838,778 releases associated with CVSS 9.0+ vulnerabilities, the report said, adding: “This scale is what enabled watershed incidents like React2Shell … and Shai-Hulud to have ecosystem-wide impact.”
“The takeaway isn’t that open source is unsafe or that teams should slow down,” the researchers concluded. “It is that the ecosystem has matured into critical infrastructure and we need to operate it like one. That means responsible consumption, security controls that match modern development, and transparency that is produced by the build, not assembled after the fact.
“Open source will keep powering innovation,” they said. “The question is whether we build the practices and infrastructure to sustain it at the scale we now depend on, or whether we keep acting like the bill is someone else’s problem.”
Going forward, the increasing convergence of AI and open source software will exacerbate the problem, they predicted.
“AI model hubs and autonomous agents are converging with open source into a single, fluid software supply chain — a mesh of interdependent ecosystems without uniform security standards,” the report said. “Malware authors already understand this convergence. They are embedding persistence inside containers, pickled model files, and precompiled binaries that flow between data scientists, CI/CD systems, and runtime environments.”
