MacMusic  |  PcMusic  |  440 Software  |  440 Forums  |  440TV  |  Zicos
malware
Search

Sonatype warns of 18,000 open source malware packages

Friday April 4, 2025. 02:10 AM , from InfoWorld
Software supply chain security company Sonatype uncovered 17,954 open-source malware packages during Q1 2025, the company revealed in its Open Source Malware Index.

Sonatype’s Open Source Malware Index for Q1 2025 was introduced April 2. A proliferation of open source malware, or malicious open source packages, poses unprecedented risk in the form of software supply chain attacks, the company said. Open source malware is intentionally crafted to target developers, in order to infiltrate and exploit software chains, according to Sonatype.

The index examines evolving trends in open source malware and key shifts in malicious open source packages across ecosystems. Data for Q1 2025 showed a notable shift in the types of threats targeting software developers, with more than half of the malware aimed at exfiltrating sensitive data, Sonatype said.

To create the index, Sonatype examined a broad set of open source package consumption data and proprietary data, including malicious packages blocked by Sonatype Firewall. Sonatype also examined dependency update patterns for more than 1.5 trillion requests from Maven Central and thousands of open source projects, and analyzed malicious packages observed in the Java (Maven Central), JavaScript (NPM), Python (PyPI), and.NET (NuGet) ecosystems.

Key findings of the Open Source Malware Index for Q1 2025 include the following:

56% of malware discovered in Q1 2025 was related to data exfiltration, designed to harvest sensitive data from infected systems. This was a dramatic increase from 26% in Q4 2024.

Crypto-mining malware made up 7% of malicious packages discovered in the Q1 2025, doubling from 3.55% in Q4 2024.

Sonatype said it helped block more than 20,000 open source malware attacks in Q1 2025, with 66% of these at financial services companies, 14% at government organizations, and 7% at oil and gas utilities.

80% of logged packages in Q1 2025 were made up of more sophisticated and threatening types of malware, such as droppers and code injection malware.
Read more at InfoWorld
https://www.infoworld.com/article/3953841/sonatype-warns-of-18000-open-source-malware-packages.html

Related News

malware AI Could Affect 40% of Jobs and Widen Inequality Between Nations, UN Warns SlashdotApr 4
open Camera Makers Defend Proprietary RAW Formats Despite Open Standard Alternative SlashdotApr 4
source Climate Crisis On Track To Destroy Capitalism, Warns Top Insurer SlashdotApr 3
sonatype Mario Kart World: new Nintendo racer is open-world for some reason BoingBoingApr 3
packages Open-Source Tool Designed To Throttle PC and Server Performance Based On Electricity Pricing SlashdotApr 3
data Bill Gates Celebrates Microsoft's 50th By Releasing Altair BASIC Source Code SlashdotApr 3
index Delicious irony as Euro alliance pumps €1M of Microsoft's money into open source cloud federation tech TheRegisterApr 1
malicious RISC OS Open plots great escape from 32-bit purgatory TheRegisterApr 1
said Generative AI app goes dark after child-like deepfakes found in open S3 bucket TheRegisterApr 1
company CISA spots spawn of Spawn malware targeting Ivanti flaw TheRegisterApr 1
ecosystems OpenAI Plans To Release a New 'Open' AI Language Model In the Coming Months SlashdotMar 31
maven Talking to AI ‘Is Not Therapy,’ Mental Health Scholar Warns eWeekMar 31
supply Sam Altman Says OpenAI Will Release an ‘Open Weight’ AI Model This Summer Wired: Tech.Mar 31
examined Open Source Genetic Database Shuts Down To Protect Users From 'Authoritarian Governments' SlashdotMar 31
attacks Soundcore Aeroclip Open-Ear Earbuds Review: Great Value Wired: Tech.Mar 31
malware Ransomware crews add 'EDR killers' to their arsenal – and some aren't even malware TheRegisterMar 31
open Oracle Health reportedly warns of info leak from legacy server TheRegisterMar 31
source How Rust Finally Got a Specification - Thanks to a Consultancy's Open-Source Donation SlashdotMar 30
sonatype 'An Open Letter To Meta: Support True Messaging Interoperability With XMPP' SlashdotMar 29
packages Malware in Lisp? Now you're just being cruel TheRegisterMar 29
News copyright owned by their original publishers | Copyright © 2004 - 2025 Zicos / 440Network
Current Date
Apr, Fri 4 - 20:33 CEST