The number of open source malware packages is rising fast, and security researchers are warning software developers to remain vigilant.
Software supply chain security firm Sonatype reports that it uncovered 16,279 malicious open source packages across major ecosystems, including npm and PyPI, over the last quarter.
Overall, the total volume of malware logged by the firm has surged by 188% compared with the same quarter last year.
"Attackers are no longer simply experimenting with open source. The numbers are telling us that threat actors have identified data as the most profitable target, and developers as the easiest way in," said Brian Fox, CTO and co-founder of Sonatype.
“Developers and security teams must be vigilant, as threats increasingly hide in plain sight within everyday tools and dependencies.”
The main threat vector was data exfiltration, accounting for 55% of all malicious packages discovered. In the second quarter alone, Sonatype found more than 4,400 packages were specifically designed to steal sensitive data, including secrets, personally identifiable information (PII), passwords, access tokens, and API keys.
There was also a big rise in malware focused on data corruption, which now accounts for 3% of all malicious packages, twice as many as last year.
Meanwhile, cryptomining malware accounted for 5% of all packages in the second quarter, slightly down from the previous quarter. Sonatype attributed this to a shift among attackers from resource exploitation to credential theft and long-term infiltration.
Many of the packages used advanced techniques for exfiltrating sensitive data, including exfiltrating .git-credentials, AWS secrets, and environment variables; targeting developer systems to harvest credentials used in CI/CD pipelines; and using time-delayed payloads and encrypted transmissions to avoid detection.
"We continue to see a large volume of malware targeting environment variables, config files, and other common places used by CI/CD tools and cloud services to store sensitive information," said Sonatype principal security researcher Garrett Calpouzos.
"Once attackers collect these credentials, they can attempt unauthorized access to cloud accounts, APIs, databases, and internal systems, opening the door to broader compromise and exploitation."
Open source ecosystem threats are growing
The notorious Lazarus Group, an Advanced Persistent Threat (APT) associated with the North Korean regime, was behind 107 packages, accounting for more than 30,050 known downloads.
Earlier this year, SecurityScorecard revealed that the group's latest campaign, dubbed Operation Marstech Mayhem, was based on an advanced implant named Marstech1 and designed to compromise software developers and cryptocurrency wallets through manipulated open source repositories.
By embedding its malware inside NPM packages, researchers said it made it almost impossible for developers to detect without thorough vetting.
Similarly, Fortinet warned last year it had identified thousands of malicious packages distributed across open source repositories.
The packages included lightweight code designed to evade detection, scripts that execute malware upon installation and packages lacking repository URLs, making them harder to trace.
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
-
GitHub just launched a new 'mission control center' for developers to delegate tasks to AI coding agentsNews The new pop-up tool from GitHub means developers need not "break their flow" to hand tasks to AI agents
-
The Allianz Life data breach just took a huge turn for the worseNews Around 1.1 million Allianz Life customers are believed to have been impacted in a recent data breach, making up the vast majority of the insurer's North American customers.
-
The Allianz Life data breach just took a huge turn for the worse
News Around 1.1 million Allianz Life customers are believed to have been impacted in a recent data breach, making up the vast majority of the insurer's North American customers.
-
Rapper Bot was ‘one of the most powerful DDoS botnets to ever exist’ – now it’s done and dustedNews The Rapper Bot botnet was responsible for a series of large-scale DDoS attacks on government agencies and tech companies. Now it's gone.
-
UK telecoms firm takes systems offline after cyber attackNews The Warlock ransomware group said it was selling a million stolen documents
-
Everything we know about the Workday data breach so farNews HR technology firm Workday has confirmed a data breach after threat actors gained access to a third-party CRM platform.
-
Malicious URLs overtake email attachments as the biggest malware threatNews With malware threats surging, research from Proofpoint highlights the increasing use of off-the-shelf 'phish kits' like CoGUI and Darcula
-
Using DeepSeek at work is like ‘printing out and handing over your confidential information’News Thinking of using DeepSeek at work? Think again. Cybersecurity experts have warned you're putting your enterprise at huge risk.
-
Warning issued as new Pakistan-based malware group hits millions globallyNews Tempting people in with offers of pirated software, the network installs commodity infostealers, according to CloudSEK
-
LevelBlue and Akamai are teaming up to launch a managed web application and API protection serviceNews The new Managed WAAP offering aims to help organizations secure their rapidly expanding web app and API ecosystems
