Sonatype reports rise in open source malware to 17,954

Sonatype has released its Open Source Malware Index for the first quarter of 2025, signalling a shift in the tactics employed by malware developers.

The report identified 17,954 open source malware packages, a figure more than double that of the same quarter in the previous year. Notably, 56% of the malware identified during this period was related to data exfiltration attacks, a significant increase from the 26% recorded in the last quarter of 2024. The heightened focus on this type of malware highlights the increasing threats to sensitive data through malicious open source components.

There was also a notable rise in crypto-mining malware, which constituted 7% of the malicious packages discovered, up from 3.5% in the final quarter of last year. This suggests that resource-hijacking attacks continue to be a relevant concern within open source ecosystems.

Sonatype's efforts in combatting these threats were evidenced by the firm's intervention in over 20,000 open source malware attacks in the first quarter of 2025. A significant number of these attacks, at 66%, targeted financial services companies, followed by 14% aimed at government organisations, and 7% directed at the utilities, oil, and gas sector.

The report also indicated a decrease in what it termed "Open Source Malware 'Noise'", with 80% of the logged packages in this period involving more sophisticated and threatening types of malware, such as droppers and code injection malware.

Brian Fox, Co-founder and CTO of Sonatype, stressed the importance of proactive measures in the fight against such threats. "The data shows a meaningful change in how ecosystem maintainers are taking action against harmful components, but it also reflects the growing sophistication of threat actors," Mr. Fox stated. "We have seen a rise in more sophisticated types of open source malware, showing that attackers are innovating in ways that demand ongoing vigilance. You have to block it before it enters the development environment — if open source malware is in your repository, it's already too late."

The report forms part of Sonatype's continued commitment to providing organisations with critical insights into open source security threats and trends. As open source usage expands globally, the report underscores the imperative for organisations to implement measures designed to protect the software supply chain proactively.

Additionally, Sonatype publishes an annual State of the Software Supply Chain report, offering a year-over-year analysis of open source consumption and associated risks. Last year's analysis recorded a 156% increase in open source malware over 2023, suggesting that numerous unprotected repositories remain vulnerable to such attacks.

Sonatype's Repository Firewall, equipped with AI behavioural analytics and automated policy enforcement, serves as a solution to block malicious open source components before they can infiltrate development environments. The company relies on its security research team to ensure this vigilance translates into effective prevention measures, as evidenced by the prevention of nearly 21,000 open source malware attacks in the current year's first quarter.