Open Source Malware Risks: How Public Code Is Becoming a Playground for Hackers

Open-source software powers the modern world, but open source malware risks are growing faster than ever.
Hackers are increasingly targeting public code to steal sensitive information and breach supply chains.

Why Open Source Is Under Attack

Open-source code is available to everyone—including cybercriminals.
With malware on the rise, attackers are quietly slipping malicious code into public repositories.

In the second quarter of 2025, data exfiltration topped the list of hacker priorities.
Attackers now aim to compromise developers directly, targeting their tools, systems, and cloud infrastructure.

According to Sonatype’s latest report, researchers discovered 16,279 new pieces of malicious code hidden in public repositories.
These include npm and PyPI, two of the most widely used platforms in software development.

How Attackers Exploit Public Code

The open source malware risks landscape is evolving into an arms race.
Hackers embed malicious scripts in everyday software libraries used by developers worldwide.

The goal? Steal sensitive information, including:

• .git-credentials
• AWS secrets
• Environment variables
• CI/CD tokens

These credentials open doors to cloud accounts, internal systems, APIs, and databases.
Once attackers get in, they can move laterally and trigger broader supply chain attacks.

Developers in the Crosshairs

Unlike typical phishing attacks that target office workers, this malware focuses on developers.
Hackers know that developers hold the keys to valuable infrastructure.

Sonatype’s researchers warn that targeting developers creates the potential for devastating breaches.
The code they write and the tools they use can be silently weaponized from within.

Notable Malware Campaigns in Open Source

Several high-profile incidents highlight the growing open source malware risks in 2025.

CryptoJS Impersonation

In April 2025, attackers placed malware in npm disguised as CryptoJS, a once-popular encryption library.
Underneath the familiar name, the malware harvested crypto wallet info, environment variables, and database strings.

Yeshen-Asia Campaign

A suspected Chinese threat actor quietly planted over 60 malicious npm packages starting in late 2024.
These packages masqueraded as developer utilities while funneling stolen data to yeshen.asia-linked infrastructure.
One fake author’s package was downloaded more than 23,000 times before removal.

Lazarus Group Activity

The infamous Lazarus Group, backed by North Korea, was linked to 107 malicious packages in just three months.
These malicious npm and PyPI packages posed as harmless developer tools while exfiltrating sensitive data.

The Bigger Picture: A Growing Threat

The rise in open source malware risks is no longer theoretical—it’s happening at scale.
Developers, not end users, are now the front-line targets in supply chain attacks.

This shift threatens entire organizations, as stolen credentials enable cloud takeovers and deeper intrusions.
The attacks are stealthy, sophisticated, and often hidden in plain sight.

How Developers Can Stay Safe

To defend against open source threats, developers should:

• Rely on trusted sources and well-maintained libraries
• Monitor dependencies for suspicious updates
• Use automated tools to scan for known vulnerabilities and malware
• Rotate credentials regularly and avoid storing secrets in code

Security must become an everyday practice, not just an afterthought.

Conclusion

The rise of open source malware risks exposes the hidden dangers lurking in public code.
As attackers grow more aggressive, developers must stay vigilant and rethink how they manage software supply chains.

In today’s environment, trust alone is not enough.
Protecting code, credentials, and infrastructure is essential to keeping both businesses and users safe.