Sonatype CTO talks on targeting developers by infecting code repositories.
Almost 18,000 open source malware packages were identified in Q1, more than double the number found in Q1 of 2024.
According to research from Sonatype, 56 percent of the malware discovered in Q1 2025 was related to data exfiltration attacks, more than double the number detected in Q4 2024 (26 percent), whilst 66 percent of observed attacks targeted financial services companies, percent at government organisations, and seven percent in the utilities, oil and gas sector.
Meaningful Change
"The data shows a meaningful change in how ecosystem maintainers are taking action against harmful components, but it also reflects the growing sophistication of threat actors," said Brian Fox, Co-founder and CTO of Sonatype.
"We have seen a rise in more sophisticated types of open source malware, showing that attackers are innovating in ways that demand ongoing vigilance. You have to block it before it enters the development environment — if open source malware is in your repository, it’s already too late."
Open Source Libraries
Speaking to SC UK, Fox explains that the concept of open source malware is in its delivery, as developers use open source libraries in their applications, and as an average of 90 percent of an application is made up of open source code, and developers run on privileged machines, attackers have realised this is a unique delivery mechanism to get bad content into the resource libraries.
“It's like a spear phishing attack on developers using open source components, which is basically the way to think about it,” he says. “So as soon as the developer downloads it, the payload triggers, and it could be anything to try to drop a backdoor and oftentimes it's exfiltrating data.whatever is on the developer machine in terms of environment variables, which could be Cloud keys or anything.
“They take it, ship it, so as soon as they download it, the attack is done and over with and if you didn't stop it before that, it is too late.”
Fox explains that the target is not to get in the application, the target is to get on the developer’s machine and do whatever it's got to do. “This might leave something behind, like a backdoor, but most of the time it's trying to exfiltrate data and send it off and then the attackers would come back later using those keys to try to get into the cloud, to get into databases.”
Not Target Users
He says that the challenge is you actually have to defend against it before it lands on the developer’s machine, as the goal is not usually to get into the machine to target users.
“If you've focused on trying to do a vulnerability scan, it's too late because it already happens on a developer’s machine,” he says. “In fact, you might not even see it in the continuous integration because often those things they don't even compile, you might not see it on the on the the build pipeline because it failed on the developer machine, and they think, ‘oh I just made a mistake’, and then they go get the real one - but the attack already happened.”
What is the solution here? Fox says this is a very different problem from traditional vulnerabilities, as “the attack is focused all the way on the left, not on the right” and the attacker could be targeting the developer, or it could be targeting the build system.
“These are privileged executions within the developer and development environment, which makes them riskier - that's why they are attacking.”
Written by
Dan Raywood is a B2B journalist with 25 years of experience, including covering cybersecurity for the past 17 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.
He has spoken at events including 44CON, Infosecurity Europe, RANT Forum, BSides Scotland, Steelcon and the National Cyber Security Show, and served as editor of SC Media UK, Infosecurity Magazine and IT Security Guru. He was also an analyst with 451 Research and a product marketing lead at Tenable.
