In a sharp escalation, open source malware has increased 140% quarter-over-quarter this year.
Sonatype, an AI-centric DevSecOps firm, has released the Open Source Malware Index for Q3 2025, revealing a total of 34,319 new open source malware packages identified across major registries such as npm, PyPI, and Hugging Face. The findings bring Sonatype’s cumulative total to 877,522 malicious packages discovered since 2019.
“The era of noisy, opportunistic malware is over. Attackers are patient, organized, and increasingly using AI to embed themselves inside the very tools developers rely on,” said Brian Fox, CTO and Co-founder of Sonatype. “They’re hiding malicious payloads in plain sight, turning trusted open source dependencies into delivery mechanisms for data theft and persistence. Defenders need to match that sophistication with AI-driven visibility and proactive controls that stop threats before they ever reach a developer’s environment.”
Shai-Hulud in its prime
According to the Index, a new wave of supply chain attacks on npm showcased the growing sophistication of cyber threats. The chalk and debug package hijack campaign, which impacted components with more than two billion weekly downloads, demonstrated how legitimate projects can be exploited to spread malware at scale. The Shai-Hulud campaign, meanwhile, displayed self-propagating behavior, exfiltrating credentials and publishing new compromised packages across repositories.
Data theft emerged as a primary target in Q3, with 35% of detected malicious packages focusing on exfiltration. This trend points to a shift toward espionage and monetization, as attackers increasingly seek developer credentials, tokens, and proprietary information.
Sonatype’s research also highlighted a rise in multi-stage and stealth-first malware. Droppers accounted for 38% of threats this quarter, while backdoor-laden packages increased 143% over Q2, suggesting that adversaries are refining their methods to maintain persistent, covert access through seemingly benign dependencies.
Decline and fall
By contrast, low-effort malware such as cryptominers is in decline, making up just 4% of threats in Q3 — down from 6% in the previous quarter. The data reflects how attackers are abandoning simple, high-noise exploits in favor of stealthier, more profitable operations.
Sonatype’s Security Research division, which carries out open source malware tracking, says it is supported by its Repository Firewall. This solution is designed to block malicious open source components and AI models before they reach developers. In Q3 alone, Repository Firewall helped customers prevent 110,370 malware attacks, nearly half of which targeted financial services organizations.
Anthropic dropped a bombshell study showing that hackers need way fewer poisoned training documents than anyone expected to backdoor language models.
The post Open Source Malware Surges 140% in Q3 appeared first on eWEEK.
No Responses