Malware Targeting Developers Reaches 845K Packages According to Sonatype Open Source Malware Index
Attackers focus on data exfiltration as 16K new open source malware packages are logged in Q2 2025
Fulton, Md., July 08, 2025 (GLOBE NEWSWIRE) --Sonatype®, the end-to-end software supply chain security company, today released the Q2 2025 edition of its Open Source Malware Index, uncovering 16,279 malicious open source packages across major ecosystems including npm and PyPI. This quarter’s count brings the total number of open source malware packages Sonatype has discovered to 845,204. Compared to the end of the same quarter last year, the total volume of malware logged by Sonatype has surged 188%, underscoring the growing sophistication and scale of attacks aimed at developers, software teams, and CI/CD pipelines.
"Attackers are no longer simply experimenting with open source. The numbers are telling us that threat actors have identified data as the most profitable target, and developers as the easiest way in," said Brian Fox, CTO and Co-founder of Sonatype. “Developers and security teams must be vigilant, as threats increasingly hide in plain sight within everyday tools and dependencies.”
Exfiltration at Scale: More Than Half of Attacks are After Secrets and Sensitive Data
Data exfiltration remains the most prevalent threat vector, accounting for 55% of all malicious packages discovered. In Q2 alone, more than 4,400 packages were specifically designed to steal sensitive data, including secrets, personally identifiable information (PII), passwords, access tokens, and API keys. These attacks increasingly target the critical intersection of developer tools and production environments, where a single leak can compromise entire systems.
From Theft to Sabotage: Data Corruption Malware Sees Alarming Growth
While data exfiltration holds the top spot, Sonatype analysts observed a notable uptick in malware focused on data corruption, with such threats doubling in frequency to represent over 3% of all malicious packages — more than 400 unique instances in Q2 2025. These packages aim to damage files, inject malicious code, or otherwise sabotage applications and infrastructure.
Crypto Miners Slip Slightly as Attackers Double Down on Higher-Impact Payloads
Malware built for cryptomining comprised 5% of all packages in Q2, marking a slight decline from the previous quarter. This trend may reflect a shift in attacker focus from resource exploitation to more insidious goals such as credential theft and long-term infiltration.
Open Source Malware is Operationalizing at Scale
Notably, Lazarus Group, an Advanced Persistent Threat (APT) associated with the North Korean government, was associated with 107 packages discovered by Sonatype in Q2 2025 that collectively have more than 30,050 known downloads. This demonstrates that some of the most sophisticated threat groups in the world are leveraging open source to accomplish cyber espionage, financial cybercrime, and more.
Sonatype’s Open Source Malware Index draws from its proprietary behavioral and automated malware detection systems, actively monitoring and analyzing activity across ecosystems such as npm, PyPI, Maven Central, and more. The Index is part of Sonatype's ongoing commitment to equipping organizations with the most up-to-date information on open source security threats. As open source usage continues to grow globally, these insights underscore the need for proactive measures to safeguard the software supply chain.
Sonatype Repository Firewall is the industry’s only solution designed to block malicious open source components and AI models before they attack developers through AI behavioral analytics and automated policy enforcement. Backed by Sonatype’s industry-leading security research team, Sonatype Repository Firewall helped customers prevent 5,354,199 open source malware attacks in Q2 of this year, with 89% of those attacks facing financial services organizations.
For more details and access to the latest Open Source Malware Index data, visit https://www.sonatype.com/blog/open-source-malware-index-q2-2025.
About Sonatype
Sonatype is the software supply chain security company. We provide the world’s best end-to-end software supply chain security solution, combining the only proactive protection against malicious open source, the only enterprise grade SBOM management and the leading open source dependency management platform. This empowers enterprises to create and maintain secure, quality, and innovative software at scale. As founders of Nexus Repository and stewards of Maven Central, the world’s largest repository of Java open-source software, we are software pioneers and our open source expertise is unmatched. We empower innovation with an unparalleled commitment to build faster, safer software and harness AI and data intelligence to mitigate risk, maximize efficiencies, and drive powerful software development. More than 2,000 organizations, including 70% of the Fortune 100 and 15 million software developers, rely on Sonatype to optimize their software supply chains. To learn more about Sonatype, please visit www.sonatype.com.
Megan Schmidt Sonatype 3179083661 megan.schmidt@sonatype.com
Legal Disclaimer:
EIN Presswire provides this news content "as is" without warranty of any kind. We do not accept any responsibility or liability for the accuracy, content, images, videos, licenses, completeness, legality, or reliability of the information contained in this article. If you have any complaints or copyright issues related to this article, kindly contact the author above.
