Malicious open source packages shift from typosquatting to naming-variant impersonation in developer workflows
Target Trend
Summary
Hide ▲
Show ▼
Malicious open source packages are shifting away from misspellings and toward plausible plugin, config, SDK, and helper names, expanding the risk of credential theft and follow-on compromise in developer pipelines. Sonatype analyzed 4,309 packages and found 91% used naming-variant tactics, leaving only 9% dependent on classic typosquatting. The most common behaviors were host and secrets exfiltration, followed by droppers and backdoors. The trend makes routine dependency installation a broader supply-chain exposure for developers and build workflows.
Related Happenings
Shai-Hulud worm clone activity on NPM
Malware Activity
First: 18.05.2026 12:45
Last: 18.05.2026 12:45
Sources 1
About this happening:
The **Shai-Hulud** malware activity has continued to evolve across the **npm supply chain** and related developer ecosystems. It first infected **npm packages** in **September 202...
Shai-Hulud worm clone activity on NPM
Malware ActivityAbout this happening: The **Shai-Hulud** malware activity has continued to evolve across the **npm supply chain** and related developer ecosystems. It first infected **npm packages** in **September 202...
Open-source developers face a surge in malicious packages and vulnerable releases
Target Trend
First: 28.01.2026 13:00
Last: 28.01.2026 13:00
Sources 1
About this happening:
**Open-source package ecosystems** are seeing a sustained surge in **malicious packages** and **high-risk vulnerable releases**, expanding supply-chain risk for **developers** and...
Open-source developers face a surge in malicious packages and vulnerable releases
Target TrendAbout this happening: **Open-source package ecosystems** are seeing a sustained surge in **malicious packages** and **high-risk vulnerable releases**, expanding supply-chain risk for **developers** and...
IndonesianFoods npm self-spreading worm
Malware Activity
First: 14.11.2025 00:07
Last: 14.11.2025 00:07
Sources 1
About this happening:
The **IndonesianFoods** **npm worm** is **self-spreading** by publishing new packages every **seven seconds**, flooding the registry and creating **supply-chain risk**. Sonatype s...
IndonesianFoods npm self-spreading worm
Malware ActivityAbout this happening: The **IndonesianFoods** **npm worm** is **self-spreading** by publishing new packages every **seven seconds**, flooding the registry and creating **supply-chain risk**. Sonatype s...
Timeline
-
28.05.2026 18:30 2 articles · 4h ago
Sonatype analyzes 4,309 malicious open source packages for naming-variant impersonation
Technical Analysis UpdateSonatype analyzed 4,309 malicious open source packages and found that 91% used naming-variant tactics rather than classic typosquatting, while only 9% relied on spelling slips. The analysis says attackers are disguising packages as plausible plugins, configs, SDKs, wrappers and helpers, with suffix addition the most common tactic at 43.6% and host and secrets exfiltration the most common behavior, followed by droppers and backdoors.
Show sources
- Attackers Move Past Typosquatting to Realistic Package Impersonation — www.infosecurity-magazine.com — 28.05.2026 18:30
- Attackers Move Past Typosquatting to Realistic Package Impersonation — www.infosecurity-magazine.com — 28.05.2026 18:30