Sonatype, a company focused on software supply chain security, has announced the results of its quarterly Open Source Malware Index, which provides insights into malicious open source packages.
The index found 17,954 malicious open source software packages, including several hijacked npm crypto packages, a malicious npm package disguised as the Truffle for VS Code extension, and fake Solana packages.
Fifty-six percent of the packages were related to data exfiltration. These packages would be used by attackers to obtain sensitive data from the systems they are installed on.
For comparison, the Q4 2024 report found that only 26% of packages were related to data exfiltration, signaling an increasing risk of sensitive information being compromised through open source components.
Eighty percent of the packages Sonatype found were categorized as “sophisticated and threatening types of malware,” like droppers or code injection malware.
“From hijacked crypto packages to fake development tools laced with spyware, Q1 2025 made it clear that open source malware threats are growing in both scale and sophistication. Threat actors continue to target the open source ecosystem with campaigns designed to steal credentials, exfiltrate sensitive data, and establish persistent access inside developer environments,” the company wrote in a blog post.
