Q2 2026 Open Source Malware Index: Attackers Abuse Developer Trust
9 minute read time
TL;DR
-
At the end of Q2 2026, Sonatype Research reached 1.8 million malicious packages logged.
-
In Q2, npm accounted for 96.6% of malicious package counts, with repository abuse and trojan-class activity showing how attackers continue to exploit high-trust, high-automation ecosystems.
-
The quarter's defining theme was trust under pressure. Large-scale repository abuse campaigns, worm-like malware, dependency confusion, and maintainer compromises turned trusted software distribution channels into attack paths.
-
Q2 showed attackers evolving beyond obvious malicious packages to target trusted developer workflows through campaigns like Shai-Hulud Miasma, CanisterSprawl, Atomic Arch, malicious PyTorch Lightning releases, dependency confusion, and maintainer/package hijacking.
In Q2 2026, Sonatype Research reached more than 1.8 million malicious packages logged across ecosystems over the past decade. This quarter's malicious activity was driven overwhelmingly by npm, which accounted for 96.6% of packages.
This quarter was not shaped primarily by isolated malicious uploads, but rather a more industrialized pattern of abuse, for example:
-
Large-scale package publication
-
Repository misuse
-
Trojan-class malware operating at massive volumes
npm's dominance should not flatten the story. Sonatype also observed lower-volume but higher-signal malicious behavior across PyPI, NuGet, Hugging Face models, RubyGems, Go, Cargo, and other ecosystems. So, npm produced the flood, but the broader ecosystem showed how attackers continue to probe trusted developer workflows.
Q2 pushed a Q1 trend even further: open source malware is no longer only a package-by-package detection problem. Defenders must understand how malicious packages behave, where they execute, and which trust relationships they abuse.

npm Dominated, But Trust Was the Target
npm dominated Q2 by count, but outside npm, the threat landscape became far more concentrated. Nearly 87% of all non-npm malicious package activity occurred in just two ecosystems: PyPI (48.5%) and NuGet (38.0%). Hugging Face models (6.8%) and RubyGems (3.0%) accounted for much of the remainder.
PyPI and NuGet also carried the highest concentrations of higher-risk behaviors:
| Threat Type | Quantity in PyPI | Quantity in NuGet |
| Potentially unwanted applications (PUAs) | 3,286 | 3,268 |
| Secrets exfiltration | 2,155 | 1,962 |
| Droppers | 1,326 | 676 |
| Host information exfiltration | 341 | 8 |
While repository abuse and trojan activity drove overall volume, the concentration of exfiltration and payload-delivery behaviors in PyPI and NuGet reinforces that attackers continue to target multiple trusted ecosystems — not just npm.
Trojan activity shows the payload problem. Brandjacking and hijacking show the trust problem. Q2 illustrated both as attackers used npm's reach, familiar package names, compromised maintainers, and dependency relationships to turn trusted paths into attack paths.
The Quarter's Defining Pattern: Trusted Paths Became Attack Paths
The Q2 dataset is reinforced by the quarter's malware research. Sonatype Research published extensively on campaigns that abused trusted packages, maintainers, dependency relationships, and install-time workflows.
Instead of analyzing each campaign in isolation, let's organize them according to the broader patterns they demonstrate.
Self-Propagating and Maintainer-Focused Malware Continued to Evolve
Shai-Hulud remained one of the clearest examples of attackers turning trusted packages into propagation infrastructure.
In early June, Sonatype Research tracked a new Shai-Hulud Miasma wave affecting hundreds of npm packages. Moving beyond standard installation scripts, the campaign abused binding.gyp to execute during install, allowing it to harvest developer and CI/CD data, steal tokens, validate credentials, and publish more malicious artifacts.
Attackers adapted to defender expectations. If security teams only look for suspicious lifecycle scripts in package.json, attackers will move execution elsewhere.
We also tracked CanisterSprawl, a self-propagating npm malware campaign that stole sensitive data from developer machines and then used hijacked credentials to publish additional compromised packages.
Credential theft is no longer always the end state. In modern open source malware, stolen credentials can become the next distribution mechanism.
Dependency Relationships Became a Delivery Mechanism
Several Q2 campaigns showed attackers abusing the way package managers resolve and install dependencies.
In a 176-package npm campaign leveraging dependency confusion, Sonatype researchers found malicious packages with exceptionally high version numbers designed to win automated resolution races against internal dependencies. The malware host environments, downloaded platform-specific payloads, and harvested environment variables, credentials, CI/CD secrets, and authentication tokens.
The easy-day-js campaign followed a related pattern. Attackers compromised trusted Mastra packages and added a malicious dependency, causing installs of those packages to also install and execute easy-day-js.
Atomic Arch extended this pattern past npm by targeting orphaned Arch User Repository packages. By modifying PKGBUILDs to pull in a malicious npm dependency, the campaign enabled credential harvesting, stealth, anti-debugging, and data exfiltration, ultimately impacting around 1,500 packages across multiple waves.
These campaigns demonstrate that attackers do not always need to convince developers to install obviously malicious packages. Compromising a trusted dependency relationship is enough.
Trusted Packages and Maintainers Remained High-Value Targets
Q2 also showed continued attacker focus on trusted packages and maintainer accounts.
For the PyTorch Lightning incident, Sonatype reported how malicious versions of the popular lightning package were uploaded to PyPI after a publisher account compromise. The malicious versions were designed to steal developer credentials and republish malicious versions of repositories accessible through stolen tokens.
We also reported hijacked Red Hat Cloud Services packages that delivered install-time malware designed to steal credentials, spread through trusted workflows, and expose developer environments.
Another hijacked npm package attempted to deliver malware linked to PolinRider, exposing developer systems, CI/CD pipelines, and credentials.
These incidents show why maintainer and publisher security remains central to open source risk. Once a trusted package or account is compromised, the attacker inherits legitimacy.
Brandjacking Remained a Persistent Trust-Abuse Technique
Q2 also included activity associated with Lazarus Group brandjacking on npm. Sonatype reported a campaign involving dozens of packages, some with up to 500 weekly downloads, that used naming and mimicry tactics to appear as though they belonged in legitimate developer environments.
Brandjacking is smaller than trojan activity by raw count in the Q2 dataset, but it remains dangerous because it targets developer assumptions. Attackers mimic naming conventions, ecosystem patterns, organizational signals, and package relationships to get malicious software installed.
The Defender's Challenge: Prioritize Without Being Blinded by Volume
Data and incidents from Q2 2026 illustrate that although the volume of malicious packages is significant, quantity alone cannot function as a proper risk model.
Focusing only on the largest category reduces the quarter to npm repository abuse. Similarly, focusing solely on severe payloads overlooks the automation, trust abuse, and dependency-chain behaviors that enable malicious packages to spread.
Modern open source malware often executes during installation, build, or CI/CD automation rather than waiting for application runtime. Traditional scanning frequently detects artifacts too late — after execution has occurred, secrets are exposed, and follow-on activity is already underway. Consequently, security controls must operate earlier and continuously.
Organizations should:
-
Block known malicious components before they enter internal repositories.
-
Automate detection of malicious behavior across direct and transitive dependencies.
-
Enforce validation of package provenance, publisher behavior, and release integrity.
-
Protect internal namespaces against dependency confusion.
-
Rotate credentials when developer or CI/CD environments may have been exposed.
-
Extend software supply chain governance to AI and ML artifacts, not just traditional package managers.
When Scale Becomes the Threat
Q2 2026 was marked not merely by a rise in malicious packages but a clear demonstration of how open source malware has become industrialized.
Attackers continue to concentrate activity in npm while refining cross-ecosystem techniques. They abuse trusted packages, maintainers, dependencies, and install behaviors, using stolen credentials to compromise victims and propagate through the software supply chain.
While data highlights npm, the actual threat landscape is broader. Attackers exploit systemic trust, automation, and dependency resolution, meaning defenders cannot treat malicious packages as isolated artifacts.
Open source remains a great accelerator of modern software development. But Q2 2026 shows that the same scale that makes open source powerful also makes it attractive to attackers.
When trusted paths become attack paths, security needs to move earlier, faster, and with more context.
Written by Sonatype Research Team
Sonatype's Research Team is focused on bringing real-time, in-depth intelligence and actionable information about open source and third party vulnerabilities to Sonatype customers.
Explore All Posts by Sonatype Research TeamTags
Build Smarter with AI and ML.
Take control of your AI/ML usage with visibility, policy enforcement, and regulatory compliance.