New research examines growth in open source malware attacks, most prevalent against software developers at government and financial institutions
Fulton, Md. – December 10, 2024 – Sonatype®, the end-to-end software supply chain security platform, today released the 2024 in Open Source Malware threat report, citing that malicious packages reached more than 778,500 since the company started tracking in 2019. In recent years, open source malware has proliferated. Sonatype researchers analyzed open source malware in 2024, diving into how threat actors use malicious open source packages to target developers as enterprises flock to open source to build custom AI models.
Sonatype leads the industry in open source malware threat intelligence, with researchers uncovering major campaigns throughout the year including the pytoileur crypto stealer, a new attack using LUMMA malware, and the solana-py typosquat malware. Analyzing open source malware data and trends in 2024, Sonatype researchers found:
Popular open-source code registry npm represents 98.5% of malicious packages observed. The JavaScript ecosystem’s massive 70% growth in download requests combined, largely due to AI and spam, with minimal verification processes for new packages make it a popular target for threat actors.
PUAs (Potentially Unwanted Applications), represent the bulk of open source malware activity (64.75%). These can contain spyware, adware, or tracking components that would compromise the security and privacy of end users. Other prevalent types of open source malware include security holdings packages (24.2%) and data exfiltration (7.86%).
Government organizations are defending against the lion’s share of open source malware attacks. Sonatype helped customers block more than 450,000 malware attacks in 2024 — 67.31% at government organizations, 24% at financial services companies, and 2.15% in the energy, oil & gas sector.
Shadow downloads increased 32.8% over the past year. Open source malware is increasingly being downloaded directly to developer machines through “shadow downloads” which bypass software repository policies and security checkpoints.
“Software developers have become the prime target for the next evolution of software supply chain attacks,” said Brian Fox, CTO and Co-Founder at Sonatype. “Open source malware is uniquely nefarious — it sits between endpoint solutions, which can’t detect this method of delivery, and traditional vulnerability analysis. Too many enterprises treat open source malware like vulnerabilities in code, waiting to catch bugs during scanning which is too late. It is imperative for organizations to take a proactive approach, preventing consumption of open source malware before it enters their development pipelines.”
For over a decade, Sonatype has provided year-over-year analyses of open source consumption data, each year releasing its annual State of the Software Supply Chain® report. This year’s report, released in October, found a 156% increase in open source malware over 2023, and Sonatype estimates 50% of unprotected repositories already have cached open source malware.
Sonatype Repository Firewall is the only solution that combats malicious open source attacks, detects and blocks vulnerabilities, and ensures security of open source code repositories with the help of AI behavioral analytics and automated policy enforcement. Backed by Sonatype’s industry-leading research team, Sonatype Repository Firewall helped customers prevent more than 450,000 malware attacks in 2024.
For a full recap on open source malware this year, visit 2024 in Open Source Malware.
Sonatype is the software supply chain security company. We provide the world’s best end-to-end software supply chain security solution, by combining the only proactive protection against malicious open source, the only enterprise grade SBOM management and the leading open source dependency management platform. This empowers enterprises to create and maintain secure, quality, and innovative software at scale. As founders of Nexus Repository and stewards of Maven Central, the world’s largest repository of Java open-source software, we are software pioneers and our open source expertise is unmatched. We empower innovation with an unparalleled commitment to build faster, safer software and harness AI and data intelligence to mitigate risk, maximize efficiencies, and drive powerful software development. More than 2,000 organizations, including 70% of the Fortune 100 and 15 million software developers, rely on Sonatype to optimize their software supply chains. To learn more about Sonatype, please visit www.sonatype.com.
Sonatype examined a broad set of open source package consumption data and proprietary data, including shadow downloads, which are downloaded directly from package managers and bypass repository manager protections, malicious packages blocked by Sonatype Firewall, dependency update patterns for more than 1.5 trillion requests from Maven Central and thousands of open source projects, and the assessment of hundreds of thousands of enterprise applications. The report also analyzed malicious packages observed in the Java (Maven Central), JavaScript (npm), Python (PyPI), and .NET (NuGet) ecosystems.