Open Source Malware Surges 188% Targeting Developers Globally

In the second quarter of 2025, malicious open-source software packages surged by 188%, with security firm Sonatype uncovering 16,279 new malware packages targeting developers and CI/CD pipelines. Data exfiltration dominated these attacks, accounting for 55% of malicious packages, specifically designed to steal sensitive information such as secrets, credentials, API keys, and personally identifiable information. A notable example includes a malicious npm package disguised as a CryptoJS revival, which targeted crypto wallets with over 1,000 units and harvested MongoDB connection strings and environment variables. Attackers are increasingly focusing on developer environments, exploiting environment variables, config files, and CI/CD tools to gain unauthorized access, using sophisticated techniques like time-delayed payloads and encrypted transmissions to evade detection. Additionally, there was a doubling in data corruption malware, aimed at sabotaging applications and infrastructure, while cryptomining malware slightly declined as threat actors shift toward credential theft and long-term infiltration. The Lazarus Group, linked to North Korea, was responsible for over 100 malicious packages, underscoring the growing use of open-source ecosystems by advanced threat actors for cyber-espionage and financial crime.