SecurityBrief US - Technology news for CISOs & cybersecurity decision-makers
United States
Flux result 20e12820 27f4 4e8a 9da9 1c2ee2ea902d
#
Application Security
#
DevSecOps
#
Supply Chain

Sonatype warns of surge in trusted open-source malware

Wed, 15th Apr 2026
Author image
By Shannon Williams, News Editor

Sonatype has released its Open-Source Malware Index for the first quarter of 2026, warning that attackers continued to target software packages developers use and trust.

The company identified 21,764 malicious open-source packages during the quarter and blocked 136,107 malware attacks, bringing its total logged since 2017 to 1,346,867 malicious packages.

Its findings show a sustained focus on npm, the JavaScript package ecosystem, which accounted for 75% of malicious packages in the period. Trojan-style malware was the most common type, ahead of brandjacking and hijacking, with many campaigns aimed at stealing credentials, gathering host information and delivering follow-on payloads.

According to the report, 22% of malware packages exfiltrated information from infected devices, while 19% stole secrets. The defining pattern was abuse of trust: attackers used plausible package names, legitimate release paths and familiar workflows to get malicious code installed in development and continuous integration environments.

Trust Abuse

The research found that the pace of activity worked out to one new malicious package every six minutes during the quarter. JavaScript ecosystems remained an attractive route because they offer direct access to developers and build systems at scale.

The report argues that the main risk was not simply malicious code entering open-source ecosystems, but entering through software and processes that appeared legitimate. Attackers repeatedly relied on default trust rather than especially novel techniques.

It highlights three incidents as examples of that pattern: SANDWORM_MODE, a compromise involving Trivy and LiteLLM, and an attack affecting axios. In each case, malware was introduced through channels developers would normally regard as routine or reliable.

Three Incidents

SANDWORM_MODE involved typosquatted npm packages designed to harvest data from developer machines and CI environments. Researchers observed theft of npm and GitHub tokens, environment variables, cryptographic keys and API credentials, alongside code intended to spread into additional repositories and workflows.

They also found code designed to interact with a local Ollama instance, pointing to early experimentation with malware able to modify itself inside compromised environments.

The Trivy and LiteLLM incident showed a different route. A compromised version of the Trivy security scanner was used to help insert malicious code into the LiteLLM library, making the attack notable because it used a trusted tool in the software delivery chain rather than a fake package alone.

The linked LiteLLM compromise involved malicious PyPI versions 1.82.7 and 1.82.8. Those versions contained an obfuscated credential stealer and dropper targeting API keys, environment variables, SSH keys, Git credentials, cloud secrets, Kubernetes tokens, Terraform and Helm artefacts, and CI/CD configuration, before establishing persistence through sysmon.py.

Axios showed how a small modification to a widely used package can create broad downstream exposure. Attackers hijacked an npm publishing account and released axios@1.14.1 and axios@0.30.4 with a hidden dependency on plain-crypto-js@4.2.1, which used npm's postinstall hook to fetch and run a secondary payload.

Researchers found operating system-specific launcher behaviour for macOS, Windows and Linux, consistent with the delivery of a remote access trojan. The attack also used clean-up and metadata techniques intended to complicate analysis.

Developer Response

The findings underline the need for development teams to inspect both top-level and transitive dependencies before software reaches developer devices or CI pipelines. They also suggest dev and CI environments should be treated as high-value targets because attackers repeatedly sought tokens, cloud credentials, SSH material and pipeline secrets.

Another lesson from the quarter is that removing a malicious package may not be enough after execution. In incidents such as LiteLLM and axios, teams should assume credential exposure, rotate secrets and review affected environments.

The report also argues that release workflows now form part of the attack surface. Maintainer accounts, publishing processes and release automation all need closer scrutiny because attackers no longer need to rely on obviously suspicious packages when they can use familiar names and trusted update paths.

The quarter's data came from package consumption data and Sonatype's own datasets, including malware blocked by Sonatype Firewall, dependency update patterns across more than 1.5 trillion requests from Maven Central and thousands of open-source projects, and assessments of hundreds of thousands of enterprise applications.

Sonatype's central conclusion is that the most effective open-source attacks depend on appearing trustworthy. As the report puts it, attackers succeed by "hiding behind trusted packages, trusted release paths, and trusted workflows to steal secrets, access sensitive data, and compromise entire organisations".

Related stories
OpenAI launches Trusted Access for Cyber with major names
Anthropic launches Claude Opus 4.7 with stronger coding
Cyber insurance now common among North American SMBs
CIQ launches Linux compliance platform ahead of deadlines
Emerson & OPSWAT strike global reseller deal for OT patching

Top stories

Team Cymru launches Total Insights Feeds for threat data
FIRST conference highlights AI & CVE disclosure push
Protegrity launches AI Team Edition for secure inferencing
Autonomize launches healthcare AI platform version 3
CERN joins OpenSearch foundation as associate member