Cyberstats

Security Intelligence

VendorsSonatype

Sonatype

Cybersecurity reports and statistics published by Sonatype

2 categories1 reports

Research Reports

Reports and publications from Sonatype

Open Source Malware Index Q2 2025

7/8/2025

Recent Statistics & Reports

Sonatype detected and logged 107 malicious components attributed to the Lazarus Group, a North Korea-linked Advanced Persistent Threat (APT), across both npm and PyPI in late Q2 2025.

7/8/2025
Open sourceMalicious packages

The collection of more than 100 packages attributed to the Lazarus Group has a total of over 30,050 known downloads.

7/8/2025
Open sourceMalicious packages

16,279 pieces of open source malware discovered during the second quarter of 2025, specifically between April 1 and June 30, 2025. This is comparable to the more than 17,000 malicious packages identified in the preceding quarter, Q1 2025.

7/8/2025
Open sourceMalicious packages

845,204 malicious packages and counting identified across various open source repositories.

7/8/2025
Open sourceMalicious packages

There was a 188% increase in open source malware discovered in Q2 2025 compared to Q2 of the previous year.

7/8/2025
Open sourceMalicious packages

The "Yeshen-Asia" campaign, a sprawling six-month operation attributed to a suspected Chinese threat actor, involved over 60 malicious npm packages.

7/8/2025
Open sourceMalicious packages

Over 4,400 packages discovered in Q2 2025 were specifically designed to steal sensitive information, including secrets, personally identifiable information (PII), credentials, and API tokens.

7/8/2025
Open sourceMalicious packages

Malware specifically targeting data corruption doubled in frequency in Q2 2025, making up 3% of total malicious packages, which equates to more than 400 unique instances.

7/8/2025
Open sourceMalicious packages

Crypto miners saw a slight decline in Q2 2025, representing 5% of the total malicious packages identified, as attackers shifted towards more profitable and persistent vectors.

7/8/2025
Open sourceMalicious packages

The malicious npm package named crypto-encrypt-ts, which masqueraded as a legitimate revival of the widely used CryptoJS library, accumulated nearly 1,928 downloads before analysis revealed its stealthy, data-harvesting nature.

7/8/2025
Open sourceMalicious packages

Data exfiltration remained the most common threat in Q2 2025, accounting for 55% of all malicious packages uncovered.

7/8/2025
Open sourceMalicious packages

Top Categories

Open source
11
Malicious packages
11