Software supply chain security company Sonatype uncovered 17,954 open-source malware packages during Q1 2025, the company revealed in its Open Source Malware Index.
Sonatype’s Open Source Malware Index for Q1 2025 was introduced April 2. A proliferation of open source malware, or malicious open source packages, poses unprecedented risk in the form of software supply chain attacks, the company said. Open source malware is intentionally crafted to target developers, in order to infiltrate and exploit software chains, according to Sonatype.
The index examines evolving trends in open source malware and key shifts in malicious open source packages across ecosystems. Data for Q1 2025 showed a notable shift in the types of threats targeting software developers, with more than half of the malware aimed at exfiltrating sensitive data, Sonatype said.