Open source malware up 200% since 2023

Sonatype’s 2024 Open Source Malware Threat Report reveals that the number of malicious packages has surpassed 778,500 since tracking began in 2019. In 2024, researchers examined how threat actors leverage malicious open-source packages to target developers, particularly as enterprises increasingly adopt open-source tools to build custom AI models.

Source: Sonatype

Open source malware thrives in ecosystems with low entry barriers, no author verification, high usage, and diverse users. Platforms like npm and PyPI, which handle trillions of package requests annually, offer prime opportunities for attackers to infiltrate the software supply chain. Malicious actors target popular packages, mimic legitimate ones, or take over maintainer accounts to repackage malware. They often release higher version numbers to deceive build systems, allowing tainted components to enter CI/CD pipelines and spread malicious code.

Popular open-source code registry npm represents 98.5% of malicious packages observed

The JavaScript ecosystem’s 70% growth in download requests combined, largely due to AI and spam, with minimal verification processes for new packages, make it a popular target for threat actors.

PUAs (Potentially Unwanted Applications) represent the bulk of open source malware activity (64.75%)

These can contain spyware, adware, or tracking components that would compromise the security and privacy of end users. Other prevalent types of open source malware include security holdings packages (24.2%) and data exfiltration (7.86%).

Shadow downloads increased 32.8% over the past year

Open source malware is increasingly being downloaded directly to developer machines through shadow downloads which bypass software repository policies and security checkpoints.

“Software developers have become the prime target for the next evolution of software supply chain attacks,” said Brian Fox, CTO at Sonatype. “Open source malware is uniquely nefarious — it sits between endpoint solutions, which can’t detect this method of delivery, and traditional vulnerability analysis. Too many enterprises treat open source malware like vulnerabilities in code, waiting to catch bugs during scanning which is too late. It is imperative for organizations to take a proactive approach, preventing consumption of open source malware before it enters their development pipelines.”