Q1 2026 Open Source Malware Index: Adaptive Attacks, Familiar Weaknesses
TL;DR Sonatype identified 21,764 open source malware packages in Q1 2026, bringing the total logged since 2017 to 1,346,867. npm accounted for 75% of malicious packages this quarter. Trojans dominated, with most activity focused on credential theft, host reconnaissance, and staged payload delivery. The quarter's defining pattern was trust abuse: ... Read More
Axios Compromise on npm Introduces Hidden Malicious Package
A newly discovered software supply chain attack targeting the npm ecosystem briefly compromised one of the most widely used JavaScript libraries in the world ... Read More
Compromised litellm PyPI Package Delivers Multi-Stage Credential Stealer
This morning, the widely used Python package litellm, a popular abstraction layer for interacting with large language models (LLMs), was compromised and two malicious versions released (1.82.7 and 1.82.8) ... Read More
Sonatype Discovers Two Malicious npm Packages
Sonatype Security Research has identified a potential compromise of a trusted npm maintainer account that has now published two malicious npm packages — sbx-mask and touch-adv — designed to exfiltrate secrets from victims' computers ... Read More
Hijacked npm Packages Deliver Malware via Solana, Linked to Glassworm
Sonatype Security Research has identified two hijacked npm packages in the React Native ecosystem that receive more than 30,000 downloads collectively per week and were modified to deliver multi-stage malware. Sonatype is tracking the malicious packages as sonatype-2026-001153 ... Read More
pac4j CVE-2026-29000: Sonatype Finds 18 Additional Packages
A newly disclosed critical vulnerability in the widely used pac4j authentication framework is drawing attention across the open source community. Tracked as CVE-2026-29000, the flaw affects the pac4j-jwt library, which is commonly pulled in as a dependency by many popular Java authentication stacks, and could allow attackers to bypass authentication ... Read More
SANDWORM_MODE: The Rise of Adaptive Supply Chain Worms
Earlier this year, we asked our team where they expect open source cyberattacks to go next. Sonatype Principal Security Researcher Garrett Calpouzos shared his thoughts about how he anticipated attackers won't simply use automation, but also abuse victims'Â AI tools: ... Read More
SANDWORM_MODE: The Rise of Adaptive Supply Chain Worms
Earlier this year, we asked our team where they expect open source cyberattacks to go next. Sonatype Principal Security Researcher Garrett Calpouzos shared his thoughts about how he anticipated attackers won't simply use automation, but also abuse victims'Â AI tools: ... Read More
Open Source Malware Index Q4 2025: Automation Overwhelms Ecosystems
As open source software continues to fortify modern applications, attackers are finding new and increasingly efficient ways to exploit the trust developers place in public ecosystems ... Read More
