Nearly 18,000 New Malicious Packages Discovered in Q1 According to Sonatype Open Source Malware Index

Malware targeting developers reaches 828,925 packages, with data exfiltration threats rising sharply

Fulton, Md., April 02, 2025 (GLOBE NEWSWIRE) — Sonatype®, the end-to-end software supply chain security company, today unveiled its Open Source Malware Index, Q1 2025, which examines evolving trends in open source malware and key shifts in malicious open source packages across ecosystems. This quarter’s data showed a notable shift in the types of threats targeting software developers, with a total of 17,954 open source malware packages identified.

Sonatype leads the industry in open source malware threat intelligence, with researchers uncovering major campaigns throughout the year, including nearly a dozen hijacked npm crypto packages, a counterfeit Truffle for VS Code package, and a group of packages targeting Solana developers. Key findings from Q1 2025 include: 

• Data Exfiltration Malware Dominates: 56% of the malware discovered in Q1 2025 was related to data exfiltration, designed to harvest sensitive information from infected systems, a dramatic increase from 26% in Q4 2024. This rise highlights the growing concern of sensitive information being compromised via malicious open source components.
• Crypto Miners Remain Steady: Crypto-mining malware made up 7% of malicious packages discovered in Q1 2025, doubling from 3.5% in Q4 2024, showing that resource-hijacking attacks are still prevalent in open source ecosystems.
• Financial Services and Government Institutions Defending Majority of Attacks: Sonatype helped block more than 20,000 open source malware attacks in Q1 2025 — 66% at financial services companies, 14% at government organizations, and 7% in the electricity, oil & gas sector.
• Open Source Malware ‘Noise’ Decreasing: 80% of logged packages in Q1 2025 were made up of more sophisticated and threatening types of malware, such as droppers and code injection malware. 

“The data shows a meaningful change in how ecosystem maintainers are taking action against harmful components, but it also reflects the growing sophistication of threat actors,” said Brian Fox, Co-founder and CTO of Sonatype. “We have seen a rise in more sophisticated types of open source malware, showing that attackers are innovating in ways that demand ongoing vigilance. You have to block it before it enters the development environment — if open source malware is in your repository, it’s already too late.”

The quarterly Open Source Malware Index is part of Sonatype’s ongoing commitment to equipping organizations with the most up-to-date information on open source security threats. As open source usage continues to grow globally, these insights underscore the need for proactive measures to safeguard the software supply chain.

Sonatype has published year-over-year analysis of open source consumption, risk and threat trends via the annual State of the Software Supply Chain® report for more than a decade. Last year’s report showed that open source malware increased by 156% over 2023 and estimated that half of unprotected repositories have already fallen victim to open source malware. 

Sonatype Repository Firewall is the industry’s only solution designed to block malicious open source components and AI models before they can target development environments through AI behavioral analytics and automated policy enforcement. Backed by Sonatype’s industry-leading security research team, Sonatype Repository Firewall helped customers prevent 20,920 open source malware attacks in Q1 of this year.

For more information about open source malware in Q1 2025, visit https://www.sonatype.com/blog/open-source-malware-index-q1-2025.

About Sonatype
Sonatype is the software supply chain security company. We provide the world’s best end-to-end software supply chain security solution, combining the only proactive protection against malicious open source, the only enterprise grade SBOM management and the leading open source dependency management platform. This empowers enterprises to create and maintain secure, quality, and innovative software at scale. As founders of Nexus Repository and stewards of Maven Central, the world’s largest repository of Java open-source software, we are software pioneers and our open source expertise is unmatched. We empower innovation with an unparalleled commitment to build faster, safer software and harness AI and data intelligence to mitigate risk, maximize efficiencies, and drive powerful software development. More than 2,000 organizations, including 70% of the Fortune 100 and 15 million software developers, rely on Sonatype to optimize their software supply chains. To learn more about Sonatype, please visit www.sonatype.com.

Attachment

• Open Source Malware Index Q1 2025

CONTACT: Megan Schmidt
Sonatype
megan.schmidt@sonatype.com