Open-source malware doubles, data exfiltration attacks dominate
There’s been a notable shift in the types of threats targeting software developers, with a total of 17,954 open source malware packages identified in Q1 2025, according to Sonatype.
Quarterly breakdown (Source: Sonatype)
The Q1 figure represents a significant decrease from the more than 34,000 malicious packages discovered last quarter, largely due to a sharp drop in security holdings packages. However, compared to the same period last year, the overall malware count more than doubled.
Key findings from the Open Source Malware Index, Q1 2025 include:
Data exfiltration malware dominates: 56% of the malware discovered in Q1 2025 was related to data exfiltration, designed to harvest sensitive information from infected systems, a dramatic increase from 26% in Q4 2024. This rise highlights the growing concern of sensitive information being compromised via malicious open source components.
Crypto miners remain steady: Crypto-mining malware made up 7% of malicious packages discovered in Q1 2025, doubling from 3.5% in Q4 2024, showing that resource-hijacking attacks are still prevalent in open source ecosystems.
Financial services and government institutions defending attacks: Sonatype helped block more than 20,000 open source malware attacks in Q1 2025 — 66% at financial services companies, 14% at government organisations, and 7% in the utilities, oil & gas sector.
Open source malware ‘noise’ decreasing: 80% of logged packages in Q1 2025 were made up of more sophisticated and threatening types of malware, such as droppers and code injection malware.
“The data shows a meaningful change in how ecosystem maintainers are taking action against harmful components, but it also reflects the growing sophistication of threat actors,” said Brian Fox, CTO of Sonatype. “We have seen a rise in more sophisticated types of open source malware, showing that attackers are innovating in ways that demand ongoing vigilance. You have to block it before it enters the development environment — if open source malware is in your repository, it’s already too late.”
Must read:
- GitHub CISO on security strategy and collaborating with the open-source community
- Don’t let these open-source cybersecurity tools slip under your radar
- 33 open-source cybersecurity solutions you didn’t know you needed