Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Open-source developers face a surge in malicious packages and vulnerable releases

Target Trend
First reported
Last updated
Happening score
H score 22
1 unique sources, 1 articles

Summary

Hide ▲

Open-source package ecosystems are seeing a sustained surge in malicious packages and high-risk vulnerable releases, expanding supply-chain risk for developers and CI/CD pipelines. One measured set of registries saw 454,648 new malicious packages alongside 9.8 trillion downloads across Maven Central, PyPl, npm, and NuGet. The threat now extends beyond nuisance uploads to industrialized campaigns, repository abuse, and multi-stage payload delivery. That raises the chance that a routine dependency install becomes the first step in a larger intrusion.

Related Happenings

Mini Shai-Hulud npm supply-chain malware wave

Malware Activity
First: 12.05.2026 14:07 Last: 12.05.2026 14:07 Sources 1

About this happening: The **Sha1-Hulud** npm supply-chain campaign is a fresh **second wave** of **Shai-Hulud**-style activity that has compromised **hundreds of npm packages**. The malware runs during...

Open Happening

Hugging Face shared-loader supply chain campaign

Campaign
First: 11.05.2026 10:05 Last: 11.05.2026 10:05 Sources 1

About this happening: A **Hugging Face** repository cluster appears to be part of a **broader supply chain campaign** that used **shared loaders** to push a stealer through open-source model downloads....

Open Happening

Npm typosquatting campaign distributing WinOS 4.0 implant

Campaign
First: 09.05.2026 17:26 Last: 09.05.2026 17:26 Sources 1

About this happening: A **npm typosquatting campaign** distributing the **WinOS 4.0 implant** overlapped with malicious repository activity, indicating a broader coordinated distribution effort beyond...

Open Happening

Widespread end-of-life package exposure across major open-source registries

Target Trend
First: 05.05.2026 17:00 Last: 05.05.2026 17:00 Sources 1

About this happening: End-of-life open source packages remain widespread across **major registries**, leaving **enterprise dependency graphs** exposed to versions with no patch path and limited CVE cov...

Open Happening

Axios JavaScript NPM package hit by network compromise

Incident
First: 31.03.2026 23:55 Last: 31.03.2026 23:55 Sources 1

About this happening: **Axios** suffered a **supply-chain compromise** after malicious versions were published to **NPM**, creating a high-risk exposure for developers and downstream consumers. The mal...

Latest development: 13.04.2026 20:39

OpenAI is revoking and rotating potentially exposed macOS code-signing certificates after a GitHub Actions workflow executed compromised Axios version 1.14.1 during the March 31, 2026 supply chain attack. The certificate was used to sign OpenAI macOS apps including ChatGPT Desktop, Codex, Codex CLI, and Atlas, and macOS users must update to versions signed with the new certificate before the old certificate is fully revoked on May 8, 2026.

Open Happening

Timeline

  1. 28.01.2026 13:00 2 articles · 3mo ago

    Sonatype flags open-source package ecosystem as a structural risk

    Initial Disclosure

    Sonatype’s 2026 State of the Software Supply Chain report identifies the open-source ecosystem as a structural risk, citing 9.8 trillion component downloads across Maven Central, PyPl, npm and NuGet, 454,648 new malicious packages last year, and a shift toward sustained, industrialized campaigns that abuse public registries, hide payloads in AI models and trusted platforms like Hugging Face, and target developers through deceptive dependency names and supply-chain staging. The report also says 28% of nearly 37,000 LLM-assisted dependency upgrades were hallucinations, 65% of open source CVEs lacked CVSS scores in NVD, and in 2025, 40% of vulnerable Maven Central releases and 39% of NuGet releases carried CVSS 9.0+ scores.

    Show sources
    Open in new tab