4 min read
The number of malicious open source software packages discovered in 2025 jumped dramatically, with detections rising by about 73% compared with 2024, cybersecurity analysts say, underscoring a worsening threat landscape for developers and enterprise software supply chains.
According to the latest ReversingLabs Software Supply Chain Security Report, more than 10,000 malicious open source packages were identified last year, most of which involved node package manager (npm) repositories that cybercriminals are exploiting to spread malware and infiltrate software ecosystems at scale.
The research highlights a growing trend in which attackers weaponize trusted development tools and repositories to install backdoors, steal developer credentials, or compromise downstream applications — turning the very building blocks of software into delivery mechanisms for malware.
Why Open Source Malware Rings All the Bells
Open source software underpins much of modern software development: from mobile apps to cloud infrastructure. Repositories such as npm, PyPI, NuGet, and Maven Central host millions of packages downloaded by developers worldwide. A dramatic increase in malicious packages therefore has broad implications for the software supply chain and global cybersecurity.
In 2025 alone, npm accounted for about 90% of open source malware activity, according to ReversingLabs. One campaign, known as Shai-Hulud, compromised more than 1,000 npm packages and exposed an estimated 25,000 GitHub repositories, showing how a single infiltration can propagate widely through ecosystems.
The report says:
The biggest sources of the secrets leaked are Google, Amazon Web Services (AWS), Slack, and Telegram, with the Google Cloud platform being the largest source for 23% of the more than 39,000 secrets detected on npm and 14% of the nearly 9,300 secrets detected on PyPI. AWS accounted for 145, while the majority of exposed developer secrets are traced back to less well-known applications that together accounted for around two-thirds of leaked secrets detected on both npm and PyPI. Conversely, applications such as Discord, GitHub, and Slack saw a roughly 50% drop in secrets detected year-over-year.
Simultaneously, incidents of exposed developer secrets, such as API keys, database credentials, and cloud platform tokens, rose by roughly 11%, mainly on npm and Python Package Index (PyPI) repositories.
Patterns and Wider Trends
Several security researchers and industry reports highlight that 2025 was marked by broader acceleration in open source threats:
- Sonatype’s 2026 State of the Software Supply Chain report found open source malware has surged even further, with over 1.23 million malicious packages in circulation and downloads of open source components topping 9.8 trillion worldwide, illustrating how attackers are leveraging high demand to distribute malicious code.
- Sonatype also notes that AI-assisted software recommendations have introduced new risk, as generative AI tools sometimes suggest insecure or malicious components without contextual safety checks.
- Independent researchers documented spikes in open source malware related to data exfiltration and persistent access tactics, reinforcing the narrative that cybercriminals continue to refine their approaches.
This convergence of volume, sophistication, and delivery scale illustrates why open source malware is no longer a marginal issue but a systemic risk facing the broader software ecosystem.
The Supply Chain Trust Crisis
Security experts warn that this surge signals a deeper trust crisis in software supply chains, where developers and organizations increasingly rely on third-party code without adequate vetting or security safeguards.
“Malicious actors are now focusing their efforts on widely used open source projects through which malware can be injected into thousands of downstream applications,” said Tomislav Pericin, chief software architect at ReversingLabs.
He added that many organizations still underestimate the severity of the threat, often choosing convenience over rigorous security scrutiny when adopting open source components.
What Developers and Organizations Should Do
To counter the expanding threat, security professionals recommend:
- Refreshing supply chain security practices to include automated malware scanning and stricter dependency vetting.
- Implementing continuous monitoring across code repositories and CI/CD pipelines.
- Enforcing secrets management and rotate exposed credentials to close risk windows.
- Prioritizing package provenance verification before integration.
As attackers refine the use of stealthy, registry-native worms and AI-assisted malware dissemination, defenders say the software industry must adopt proactive defenses rather than reactive responses.
