Security researchers have warned that the open source ecosystem has become a “structural risk,” after revealing another surge in malicious packages last year.
Sonatype said in its 2026 State of the Software Supply Chain report that developers downloaded components 9.8 trillion times last year across Maven Central, PyPl, npm and NuGet. The challenge is that many of these contained malware or vulnerabilities.
The security vendor said it discovered 454,648 new malicious packages last year, warning that threats had evolved from “spam and stunts” into “sustained, industrialized campaigns” – many of which are state sponsored.
“Public registries provide a low-friction distribution channel, while developer machines and CI/CD pipelines provide an execution environment that often sits close to sensitive data and production access,” the report noted.
“As a result, the malicious package is increasingly not the whole attack, but the first step in a larger supply chain intrusion.”
Over half (56%) of recorded malicious packages were classified as “repository abuse,” including efforts to persuade users to click on spammy links or the harvesting of TEA tokens. A further 28% were classed as potentially unwanted apps, such as empty packages, demos with hardcoded credentials and messaging app spam bot orchestration frameworks.
Other popular categories included host information and secrets exfiltration, droppers/loaders and backdoors – indicating the multi-stage nature of attacks that begin with malicious packages.
Read more on open source threats: Shai-Hulud Worm Prowls npm to Steal Hundreds of Secrets
Threat actors are apparently turning to “social and technical mimicry” to target stretched developers.
These techniques include typosquatting and namespace confusion, toolchain masquerading and front-end workflow lures.
“Attackers increasingly rely less on individual mistakes and more on scale, momentum, and volume,” the report said.
“They know developers under deadline pressure are unlikely to pay detailed attention on every dependency. If a package ‘looks right’ with mostly comprehensible code, a legitimate seeming README.MD, and a reasonable amount of downloads, it is likely to get installed.”
The Problem With AI
AI represents another threat to developers, as it becomes more important to modern pipelines. Malicious payloads are being hidden in AI models, as well as container images and helper binaries, and distributed through trusted platforms like Hugging Face, Sonatype claimed.
Meanwhile, AI agents threaten to amplify the risk of malicious or buggy packages because they fail to check provenance, policy or known-malicious indicators. Many fall for the deceptive naming patterns and evasion tactics used by threat actors to mimic legitimate dependencies, the report argued.
On other occasions, AI agents recommend non-existent versions. Sonatype analyzed nearly 37,000 real dependency upgrades assisted by LLMs across Maven, npm, PyPI and NuGet. It claimed 28% were hallucinations.
Open Source Bugs Are Everywhere
Sonatype also warned that severe vulnerabilities remain widespread in the open source ecosystem. In 2025, 40% of vulnerable Maven Central releases and 39% of NuGet releases carried CVSS 9.0+ scores.
The problem for security teams is compounded by a lack of vulnerability intelligence. Two-thirds (65%) of open source CVEs were not assigned CVSS scores by the National Vulnerability Database (NVD), Sonatype said.
Even when information and patches exist, buggy versions continue to be downloaded en masse.
“Set-and-forget dependencies, transitive sprawl, and upgrade friction keep old risk flowing into new builds,” the report warned.
“The problem is not awareness. It is workflow inertia and unclear ownership.”
