MacMusic  |  PcMusic  |  440 Software  |  440 Forums  |  440TV  |  Zicos
malware
Search

Sonatype warns of 18,000 open source malware packages

Friday April 4, 2025. 02:10 AM , from InfoWorld
Software supply chain security company Sonatype uncovered 17,954 open-source malware packages during Q1 2025, the company revealed in its Open Source Malware Index.

Sonatype’s Open Source Malware Index for Q1 2025 was introduced April 2. A proliferation of open source malware, or malicious open source packages, poses unprecedented risk in the form of software supply chain attacks, the company said. Open source malware is intentionally crafted to target developers, in order to infiltrate and exploit software chains, according to Sonatype.

The index examines evolving trends in open source malware and key shifts in malicious open source packages across ecosystems. Data for Q1 2025 showed a notable shift in the types of threats targeting software developers, with more than half of the malware aimed at exfiltrating sensitive data, Sonatype said.

To create the index, Sonatype examined a broad set of open source package consumption data and proprietary data, including malicious packages blocked by Sonatype Firewall. Sonatype also examined dependency update patterns for more than 1.5 trillion requests from Maven Central and thousands of open source projects, and analyzed malicious packages observed in the Java (Maven Central), JavaScript (NPM), Python (PyPI), and.NET (NuGet) ecosystems.

Key findings of the Open Source Malware Index for Q1 2025 include the following:

56% of malware discovered in Q1 2025 was related to data exfiltration, designed to harvest sensitive data from infected systems. This was a dramatic increase from 26% in Q4 2024.

Crypto-mining malware made up 7% of malicious packages discovered in the Q1 2025, doubling from 3.55% in Q4 2024.

Sonatype said it helped block more than 20,000 open source malware attacks in Q1 2025, with 66% of these at financial services companies, 14% at government organizations, and 7% at oil and gas utilities.

80% of logged packages in Q1 2025 were made up of more sophisticated and threatening types of malware, such as droppers and code injection malware.
Read more at InfoWorld
https://www.infoworld.com/article/3953841/sonatype-warns-of-18000-open-source-malware-packages.html

Related News

malware MITRE Warns CVE Program Faces Disruption (Security Week) LWN.netApr 15
open How to keep SMBs open for business – even when the power goes out ComputerWorldApr 15
source Browser extensions leave enterprises open to attack BetaNewsApr 15
sonatype US senator warns 'China is cheering' for proposed NASA budget cuts TheRegisterApr 15
packages Ubisoft makes Chroma colorblind tool open source for all developers BetaNewsApr 15
data Hugging Face Acquires Pollen Robotics to Unleash Open Source AI Robots Wired: Tech.Apr 14
index DeepSeek’s open source movement InfoWorldApr 14
malicious Network-based malware detections increase 94 percent BetaNewsApr 10
said DSPy: An open-source framework for LLM-powered applications InfoWorldApr 10
company Google adds open source framework for building agents to Vertex AI InfoWorldApr 9
ecosystems Google’s Agent2Agent open protocol aims to connect disparate agents InfoWorldApr 9
maven Don't open that JPEG in WhatsApp for Windows. It might be an .EXE TheRegisterApr 8
supply China's Biotech Advances Threaten US Dominance, Warns Congressional Report SlashdotApr 8
examined Tariff-ied Framework pulls laptops, Keyboardio warns of keystroke sticker shock TheRegisterApr 8
attacks Fifty Years of Open Source Software Supply Chain Security (Queue) LWN.netApr 7
malware In 'Milestone' for Open Source, Meta Releases New Benchmark-Beating Llama 4 Models SlashdotApr 6
open Open Source Coalition Announces 'Model-Signing' with Sigstore to Strengthen the ML Supply Chain SlashdotApr 5
source NSA Warns 'Fast Flux' Threatens National Security SlashdotApr 5
sonatype AI Could Affect 40% of Jobs and Widen Inequality Between Nations, UN Warns SlashdotApr 4
packages Camera Makers Defend Proprietary RAW Formats Despite Open Standard Alternative SlashdotApr 4
News copyright owned by their original publishers | Copyright © 2004 - 2025 Zicos / 440Network
Current Date
Apr, Fri 25 - 01:35 CEST