Malicious Open Source Packages Surge in Q2 2025

In the second quarter of 2025, malicious open-source software packages surged by 188%, with over 16,000 new threats identified across major ecosystems such as npm, PyPI, and Maven Central. Data exfiltration was the primary motive, with most packages designed to steal credentials, API keys, and personal information, while destructive malware targeting data corruption doubled in prevalence. Cryptomining malware declined to represent just 5% of threats as attackers shifted focus to credential theft and long-term infiltration. The Lazarus Group, linked to North Korea, was associated with over 100 malicious packages, highlighting the role of state-backed actors. A new trend in browser-based threats emerged, exemplified by the RedDirection campaign, which leveraged popular Chrome and Edge extensions to hijack sessions and spy on more than 2.3 million users. These developments emphasize the escalating risks across software supply chains and the need for heightened vigilance among developers, security teams, and end users.