Open Source Malware Index Q2 2025

Sonatype detected and logged 107 malicious components attributed to the Lazarus Group, a North Korea-linked Advanced Persistent Threat (APT), across both npm and PyPI in late Q2 2025.

The collection of more than 100 packages attributed to the Lazarus Group has a total of over 30,050 known downloads.

16,279 pieces of open source malware discovered during the second quarter of 2025, specifically between April 1 and June 30, 2025. This is comparable to the more than 17,000 malicious packages identified in the preceding quarter, Q1 2025.

845,204 malicious packages and counting identified across various open source repositories.

There was a 188% increase in open source malware discovered in Q2 2025 compared to Q2 of the previous year.

The "Yeshen-Asia" campaign, a sprawling six-month operation attributed to a suspected Chinese threat actor, involved over 60 malicious npm packages.

Over 4,400 packages discovered in Q2 2025 were specifically designed to steal sensitive information, including secrets, personally identifiable information (PII), credentials, and API tokens.

Malware specifically targeting data corruption doubled in frequency in Q2 2025, making up 3% of total malicious packages, which equates to more than 400 unique instances.

Crypto miners saw a slight decline in Q2 2025, representing 5% of the total malicious packages identified, as attackers shifted towards more profitable and persistent vectors.

The malicious npm package named crypto-encrypt-ts, which masqueraded as a legitimate revival of the widely used CryptoJS library, accumulated nearly 1,928 downloads before analysis revealed its stealthy, data-harvesting nature.

Data exfiltration remained the most common threat in Q2 2025, accounting for 55% of all malicious packages uncovered.