Sonatype has identified nearly 18,000 malicious open-source packages in the first quarter of 2025, highlighting a growing threat to software supply chains. The company released these findings in its newly introduced Open Source Malware Index, unveiled on April 2. The index reflects a troubling rise in the number and complexity of malicious packages intentionally designed to target developers and compromise software development environments.
According to Sonatype, these open-source malware packages are specifically crafted to infiltrate software supply chains by exploiting developers’ trust in popular ecosystems like Maven Central, NPM, PyPI, and NuGet. The Q1 2025 data reveals a significant surge in threats focused on stealing sensitive data—56% of detected malware aimed to exfiltrate information, more than doubling the 26% observed in the previous quarter. This trend signals a shift in attackers’ priorities, with a stronger focus on data harvesting over other forms of disruption.
The methodology behind the index involved analyzing a massive dataset of over 1.5 trillion package requests from Maven Central, alongside Sonatype’s own threat intelligence gathered through tools like the Sonatype Firewall. This extensive review also included patterns in dependency updates and observed behaviors across various programming language ecosystems. Notably, crypto-mining malware also saw an uptick, accounting for 7% of malicious packages in Q1 2025—up from 3.55% in Q4 2024.
Sonatype’s proactive defenses helped block over 20,000 open-source malware attacks during the quarter, with the financial services sector bearing the brunt—66% of blocked attacks were directed at financial institutions, followed by 14% at government organizations and 7% at the oil and gas industry. Perhaps most concerning, 80% of the detected malware consisted of advanced threats such as droppers and code injection tools, pointing to a marked increase in both technical sophistication and potential damage of these attacks.