"This volume reflects a consumption model where CI/CD pipelines, ephemeral build environments, and aggressive caching strategies pull dependencies relentlessly. However, while shared building blocks accelerate delivery, the sheer weight of this consumption is cracking the commons. Brian Fox, Co-founder and CTO of Sonatype, commented: "In our eleventh year of this analysis, the open-source bargain holds true: we all move faster because we share. What's changed is the scale and the stakes.""
"The days of isolated script kiddies defacing libraries for notoriety have largely passed. The threat environment has shifted toward industrialised and often state-sponsored campaigns designed to compromise the very people building the software. In 2025, Sonatype identified nearly 455,000 new malicious packages, bringing the total known malicious components to over 1.233 million. Attackers now treat open-source registries as reliable delivery channels for malware, optimised to bypass perimeter defences and execute directly on developer workstations."
In 2025 open-source consumption reached 9.8 trillion downloads across the four largest registries, a 67 percent year-over-year increase. CI/CD pipelines, ephemeral build environments, and aggressive caching drive relentless dependency pulls. Shared building blocks accelerate delivery but the scale is cracking the commons and stressing shared infrastructure. The ecosystem has become vital infrastructure while often retaining hobbyist fragility. Surviving the operational and security costs of open-source at scale is the central 2026 challenge. Malware campaigns have industrialised and often carry state sponsorship, with 455,000 new malicious packages identified in 2025 and over 1.233 million known malicious components. Attackers use registries to deliver malware that bypasses perimeter defences and execute directly on developer workstations. Lazarus Group concentrates activity on npm and employs social engineering mimicry. Most concerning is the emergence of self-replicating malware.
#open-source-supply-chain #malware-industrialisation #registry-consumption-growth #npm-targeted-attacks
Read at Developer Tech News
Unable to calculate read time
Collection
[
|
...
]