Malicious actors are currently taking advantage of weaknesses in the open-source ecosystem to distribute harmful software.

The open-source software ecosystem, once a stronghold of collaborative development, has increasingly attracted cybercriminals aiming to infiltrate supply chains and compromise downstream systems. Analysis from the second quarter of 2025 indicates that threat actors are exploiting vulnerabilities in popular package repositories to distribute malware, exfiltrate sensitive data, and establish persistent footholds in victim environments. This alarming trend signifies a fundamental shift in attack methodologies, as malicious actors leverage the inherent trust developers place in third-party packages to circumvent traditional security controls. The threat landscape is vast and expanding, with automated threat detection platforms scanning over 1.4 million NPM (Node Package Manager) and 400,000 PyPI (Python Package Index) packages, revealing a significant number of malicious packages embedded within these repositories.

Fortinet analysts identified several malicious PyPI packages during this period, including Simple-Mali-Pkg-0.1.0, ConfigHum-0.3.5, SinonTop-Utils-0.3.5, Solana-SdkPy-1.2.5, and Solana-SdkPy-1.2.6, alongside the NPM package Postcss-Theme-Vars-7.0.7. These packages exemplify the evolving tactics employed by threat actors, who combine traditional malware techniques with supply chain exploitation methods to maximise their impact and evade detection. The technical sophistication of these malicious packages is evident in their use of multi-layered obfuscation techniques, designed to conceal malicious intent from both automated scanning tools and human analysts. For instance, the Simple-Mali-Pkg-0.1.0 package executes a suspicious mali.py file during installation, while the Postcss-Theme-Vars-7.0.7 NPM package employs JavaScript obfuscation to hide malicious functionality within a deceptively named file.