{"id":1210,"date":"2025-07-09T05:59:06","date_gmt":"2025-07-09T05:59:06","guid":{"rendered":"http:\/\/ft365.org\/index.php\/2025\/07\/09\/malicious-open-source-packages-surge-188-annually\/"},"modified":"2025-07-09T05:59:06","modified_gmt":"2025-07-09T05:59:06","slug":"malicious-open-source-packages-surge-188-annually","status":"publish","type":"post","link":"http:\/\/ft365.org\/index.php\/2025\/07\/09\/malicious-open-source-packages-surge-188-annually\/","title":{"rendered":"Malicious Open Source Packages Surge 188% Annually"},"content":{"rendered":"<div>\n<p><img decoding=\"async\" src=\"http:\/\/ft365.org\/wp-content\/uploads\/2025\/06\/localimages\/ea721ff9-8ba4-4d88-b386-57e9e1606077.jpg?width=64&#038;height=64&#038;mode=crop&#038;scale=both&#038;format=webp\" alt=\"Photo of Phil Muncaster\" loading=\"lazy\"><\/p>\n<\/div>\n<div id=\"cphContent_pnlArticleBody\" data-layout-id=\"2\" data-edit-folder-name=\"text\" data-index=\"0\">\n<p>The scale and sophistication of attacks targeting developers, software teams and CI\/CD pipelines continued to grow in Q2 2025, with Sonatype reporting a 188% annual increase in malicious open source packages.<\/p>\n<p>The security vendor monitors activity across ecosystems such as npm, PyPI and Maven Central, in order to better understand open source threat levels.<\/p>\n<p>Its latest <em>Open Source Malware Index<\/em> revealed a total of 16,279 malicious open source packages across the biggest such ecosystems. It brings the total number the vendor has discovered since starting this analysis in 2017 to 845,204.<\/p>\n<p>\u201cAttackers are no longer simply experimenting with open source. The numbers are telling us that threat actors have identified data as the most profitable target, and developers as the easiest way in,\u201d\u00a0said Brian Fox, CTO and co-founder of Sonatype.<\/p>\n<p>\u201cDevelopers and security teams must be vigilant, as threats increasingly hide in plain sight within everyday tools and dependencies.\u201d<\/p>\n<p><em>Read more on open source threats: Majority of Critical Open Source Projects Contain Memory Unsafe Code<\/em><\/p>\n<p>Data exfiltration accounted for the majority (55%) of malicious packages discovered in Q2 2025, with attackers targeting secrets, personally identifiable information (PII), passwords, access tokens\u00a0and API keys.<\/p>\n<p>Sonatype also reported a doubling of data corruption malware, having discovered 400 such instances in the quarter. This threat is typically designed to damage files, inject malicious code, and sabotage applications and infrastructure in other ways.<\/p>\n<p>Malware designed for cryptomining comprised 5% of all packages in Q2, representing a slight decline from the previous quarter.\u00a0<\/p>\n<p>One single threat actor, North Korea\u2019s notorious Lazarus Group, was linked to 107 malicious packages downloaded more than 30,000 times, according to Sonatype. This\u00a0highlights the growing focus by threat groups on the open source ecosystem as a useful way to accomplish cyber-espionage and financial crime, the vendor claimed.<\/p>\n<p>Sonatype reported a 156% increase in open source malware last year \u2013 although the numbers it is finding are small in comparison to the more-than six trillion package downloads from the main platforms during the period.<\/p>\n<\/p><\/div>\n","protected":false},"excerpt":{"rendered":"<p>The scale and sophistication of attacks targeting developers, software teams and CI\/CD pipelines continued to grow in Q2 2025, with Sonatype reporting a 188% annual increase in malicious open source packages. The security vendor monitors activity across ecosystems such as npm, PyPI and Maven Central, in order to better understand open source threat levels. Its<\/p>\n","protected":false},"author":2,"featured_media":1211,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-1210","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized"],"featured_image_urls":{"full":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/07\/1210-b8ce3bf4-6db9-497f-8418-638e562ba143.jpg",300,300,false],"thumbnail":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/07\/1210-b8ce3bf4-6db9-497f-8418-638e562ba143-150x150.jpg",150,150,true],"medium":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/07\/1210-b8ce3bf4-6db9-497f-8418-638e562ba143.jpg",300,300,false],"medium_large":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/07\/1210-b8ce3bf4-6db9-497f-8418-638e562ba143.jpg",300,300,false],"large":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/07\/1210-b8ce3bf4-6db9-497f-8418-638e562ba143.jpg",300,300,false],"1536x1536":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/07\/1210-b8ce3bf4-6db9-497f-8418-638e562ba143.jpg",300,300,false],"2048x2048":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/07\/1210-b8ce3bf4-6db9-497f-8418-638e562ba143.jpg",300,300,false],"morenews-featured":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/07\/1210-b8ce3bf4-6db9-497f-8418-638e562ba143.jpg",300,300,false],"morenews-large":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/07\/1210-b8ce3bf4-6db9-497f-8418-638e562ba143.jpg",300,300,false],"morenews-medium":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/07\/1210-b8ce3bf4-6db9-497f-8418-638e562ba143.jpg",300,300,false],"crawlomatic_preview_image":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/07\/1210-b8ce3bf4-6db9-497f-8418-638e562ba143-146x146.jpg",146,146,true]},"author_info":{"display_name":"henry","author_link":"http:\/\/ft365.org\/index.php\/author\/henry\/"},"category_info":"<a href=\"http:\/\/ft365.org\/index.php\/category\/uncategorized\/\" rel=\"category tag\">Uncategorized<\/a>","tag_info":"Uncategorized","comment_count":"0","_links":{"self":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts\/1210","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/comments?post=1210"}],"version-history":[{"count":0,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts\/1210\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/media\/1211"}],"wp:attachment":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/media?parent=1210"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/categories?post=1210"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/tags?post=1210"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}