Hackers are weaponizing open-source. Developers are swallowing the bait

Open-source code is open to everyone – including hackers – and with malware booming, experts warn that it’s time to watch your back.

If you're building software today, you're already in the blast zone. While open source remains to be a lifeblood of modern software, it has been increasingly targeted by malware creators.

In the second quarter of 2025, data exfiltration remained the top priority for attackers looking to quietly compromise developer environments from the inside out.

In the newest report, Sonatype uncovered 16,279 new pieces of malicious code lurking inside public software repositories like npm and PyPI, bringing the running total to over 845,000.

As more developers rely on public code to build faster and ship bigger, attackers are slipping in to weaponize trust. Hackers hide malicious code inside everyday software libraries that developers use, aiming to steal sensitive information from build systems and CI/CD pipelines. Fifty-five percent of all packages identified were aimed at data exfiltration.

This trend marks another chapter in an escalating arms race inside the software supply chain, where developers, and not the end users, have become the front-line targets.

According to researchers, this is dangerous, as strikes aimed at credentials and API keys are quietly laying the groundwork for massive supply chain breaches and cloud takeovers.

What’s being targeted and why

Unlike traditional phishing scams aimed at office workers, malware in open-source repositories goes after developers. According to Sonatype’s research, thousands of malicious packages uncovered this quarter were engineered to extract sensitive information, such as:

• .git-credentials
• AWS secrets
• Environment variables
• CI/CD tokens

“Once attackers collect these credentials, they can attempt unauthorized access to cloud accounts, APIs, databases, and internal systems, opening the door to broader compromise and exploitation," said Sonatype Principal Security Researcher Garrett Calpouzos.

Chinese and North Korean hackers take aim

Among the malware identified, researchers point to an incident that occurred in April 2025, when developers were tricked by malware located in the npm registry. At first glance, it looked like a resurrection of CryptoJS, a once-popular, now-abandoned JavaScript encryption library.

But under the hood, the malware was harvesting sensitive data, such as crypto wallet info, MongoDB connection strings, and environment variables from users' systems.

Another dangerous campaign targeting open source code was identified as “Yeshen-Asia.” Starting in late 2024, a suspected Chinese threat actor quietly seeded more than 60 malicious npm packages across the open source ecosystem, each masquerading as a harmless utility for developers.

These packages were pushed through a network of distinct author accounts, each tied to different email addresses, all eventually tracing back to the yeshen.asia domain and funneling data to the same command-and-control infrastructure. One npm author racked up more than 23,000 installs before the malicious package was taken down.

By the end of Q2 2025, Sonatype was tracking a steady drip-feed of malware tied to the Lazarus Group, notorious North Korea-backed attacker. Over just three months, 107 malicious packages authored by the threat actor surfaced across npm and PyPI, dressed up as legit developer tools.

FAQ