Open-source developers face a surge in malicious packages and vulnerable releases
Trend
Summary
Hide ▲
Show ▼
Open-source package ecosystems are seeing a sustained surge in malicious packages and high-risk vulnerable releases, expanding supply-chain risk for developers and CI/CD pipelines. One measured set of registries saw 454,648 new malicious packages alongside 9.8 trillion downloads across Maven Central, PyPl, npm, and NuGet. The threat now extends beyond nuisance uploads to industrialized campaigns, repository abuse, and multi-stage payload delivery. That raises the chance that a routine dependency install becomes the first step in a larger intrusion.
Related Happenings
Rollup polyfill npm package malware activity for remote access and data theft
Malware Activity
H score16
First: 03.07.2026 19:07
Last: 03.07.2026 19:07
Sources 1
About this happening:
**Malicious npm packages** disguised as **Rollup polyfill tooling** are now delivering **remote-access and data-theft payloads** to developer workstations and build machines. The...
Rollup polyfill npm package malware activity for remote access and data theft
Malware ActivityAbout this happening: **Malicious npm packages** disguised as **Rollup polyfill tooling** are now delivering **remote-access and data-theft payloads** to developer workstations and build machines. The...
IronWorm npm supply-chain infection and self-propagation
Malware Activity
H score15
First: 04.06.2026 18:25
Last: 04.06.2026 18:25
Sources 1
About this happening:
**IronWorm** is a **Rust** infostealer in a **npm supply-chain** activity that hides behind an **eBPF kernel rootkit**, communicates over **Tor**, and targets **86 environment var...
IronWorm npm supply-chain infection and self-propagation
Malware ActivityAbout this happening: **IronWorm** is a **Rust** infostealer in a **npm supply-chain** activity that hides behind an **eBPF kernel rootkit**, communicates over **Tor**, and targets **86 environment var...
Miasma GitHub and npm supply-chain campaign
Campaign
H score26
First: 02.06.2026 00:38
Last: 02.06.2026 00:38
Sources 1
About this happening:
The **Miasma** supply-chain campaign has expanded into **npm** and the **Go ecosystem**, with **malicious npm releases** affecting **LeoPlatform** and **RStreams** packages and a...
Miasma GitHub and npm supply-chain campaign
CampaignAbout this happening: The **Miasma** supply-chain campaign has expanded into **npm** and the **Go ecosystem**, with **malicious npm releases** affecting **LeoPlatform** and **RStreams** packages and a...
Latest development: 05.06.2026 21:05
A new Miasma wave is linked to 57 compromised npm packages across more than 286 malicious versions, with malicious installs abusing a 157-byte binding.gyp file for code execution during npm install and then staging additional payloads that inject persistent backdoor files into project repositories and target AI-assisted IDE workflows.
Malicious open source packages shift from typosquatting to naming-variant impersonation in developer workflows
Trend
H score39
First: 28.05.2026 18:30
Last: 28.05.2026 18:30
Sources 1
About this happening:
**Malicious open source packages** are shifting away from misspellings and toward plausible **plugin, config, SDK, and helper** names, expanding the risk of **credential theft** a...
Malicious open source packages shift from typosquatting to naming-variant impersonation in developer workflows
TrendAbout this happening: **Malicious open source packages** are shifting away from misspellings and toward plausible **plugin, config, SDK, and helper** names, expanding the risk of **credential theft** a...
Mini Shai-Hulud npm supply-chain malware wave
Malware Activity
H score68
First: 12.05.2026 14:07
Last: 12.05.2026 14:07
Sources 1
About this happening:
The **Mini Shai-Hulud** npm **malware activity** now includes the **Miasma** variant affecting **Microsoft GitHub repositories** in a self-replicating **supply-chain campaign**. O...
Mini Shai-Hulud npm supply-chain malware wave
Malware ActivityAbout this happening: The **Mini Shai-Hulud** npm **malware activity** now includes the **Miasma** variant affecting **Microsoft GitHub repositories** in a self-replicating **supply-chain campaign**. O...
Latest development: 09.06.2026 18:42
On June 5, Microsoft removed 73 repositories across its Azure, microsoft, Azure-Samples, and MicrosoftDocs organizations on GitHub after concerns about potential malicious content tied to the Miasma/Shai-Hulud supply-chain campaign. The action disrupted continuous integration pipelines and broke workflows that depended on Azure/functions-action, while Microsoft said it temporarily removed some repositories during its investigation.
Timeline
-
28.01.2026 13:00 2 articles · 5mo ago
Sonatype flags open-source package ecosystem as a structural risk
Initial DisclosureSonatype’s 2026 State of the Software Supply Chain report identifies the open-source ecosystem as a structural risk, citing 9.8 trillion component downloads across Maven Central, PyPl, npm and NuGet, 454,648 new malicious packages last year, and a shift toward sustained, industrialized campaigns that abuse public registries, hide payloads in AI models and trusted platforms like Hugging Face, and target developers through deceptive dependency names and supply-chain staging. The report also says 28% of nearly 37,000 LLM-assisted dependency upgrades were hallucinations, 65% of open source CVEs lacked CVSS scores in NVD, and in 2025, 40% of vulnerable Maven Central releases and 39% of NuGet releases carried CVSS 9.0+ scores.
Show sources
- Researchers Uncover 454,000+ Malicious Open Source Packages — www.infosecurity-magazine.com — 28.01.2026 13:00
- Researchers Uncover 454,000+ Malicious Open Source Packages — www.infosecurity-magazine.com — 28.01.2026 13:00