Sonatype, a provider of AI-centric DevSecOps, this week released the Open Source Malware Index, Q3 2025, which analyzed 34,319 open source malware packages discovered by Sonatype across major open source registries, including npm, PyPI, Hugging Face, and more. This quarter’s count brings the total number of malicious packages Sonatype has discovered to 877,522 since 2019.
“The era of noisy, opportunistic malware is over. Attackers are patient, organized, and increasingly using AI to embed themselves inside the very tools developers rely on,” said Brian Fox, CTO and co-founder of Sonatype. “They’re hiding malicious payloads in plain sight, turning trusted open source dependencies into delivery mechanisms for data theft and persistence. Defenders need to match that sophistication with AI-driven visibility and proactive controls that stop threats before they ever reach a developer’s environment.”
A series of npm attacks illustrates a dangerous escalation: attackers are no longer just inserting malicious code into the ecosystem — they’re turning the supply chain itself into a weapon. The chalk and debug package hijack campaign, which impacted components that see more than 2 billion weekly downloads, demonstrated how attackers can subvert legitimate projects to distribute malware at scale. Meanwhile, the unprecedented Shai-Hulud campaign exhibited worm-like behavior that allowed malicious code to self-propagate across repositories, exfiltrate credentials, and publish new compromised packages.
In Q3, data exfiltration malware accounted for 37% of all malicious open source packages detected, underscoring what previous quarters have shown: there is a growing trend toward intelligence-gathering, espionage, and monetization of stolen data. Adversaries are targeting developer credentials, access tokens, and proprietary information, transforming open source ecosystems into rich hunting grounds for data-driven exploitation.
Droppers, which act as lightweight delivery mechanisms that install secondary payloads such as backdoors or info-stealers, skyrocketed in Q3, making up nearly 38% of all threats, while backdoor-laden packages grew 143% quarter-over-quarter. This indicates a strategic evolution in that adversaries are increasingly building multi-stage malware that installs, hides, and maintains long-term access, posing as benign dependencies.
Once a dominant category, cryptominers accounted for just 4% of malicious packages in Q3, down from 6% last quarter. This decline reflects the commoditization of simple malware — attackers no longer find value in easily detectable, one-dimensional exploits. Instead, they’re investing in stealth, persistence, and long-term financial return.
Sonatype Security Research leads the industry in open source malware threat research, tracking malicious open source since 2019. Repository Firewall is the industry’s only solution designed to block malicious open source components and AI models before they attack developers through AI-powered behavioral analytics and automated policy enforcement. Backed by Sonatype’s industry-leading security research team, Sonatype Repository Firewall helped customers prevent 110,370 open source malware attacks in Q3 of this year, with 47% of those attacks facing financial services organizations.
