The Landscape of Malicious Open Source Packages: 2025 Mid‑Year Threat Report
A look at the top trends in how threat actors are weaponizing open source packages to deliver malware and persist across the software supply chain.
Kirill Boychenko
Backdooring the IDE: Malicious npm Packages Hijack Cursor Editor on macOS
Malicious npm packages posing as developer tools target macOS Cursor IDE users, stealing credentials and modifying files to gain persistent backdoor access.
The Bad Seeds: Malicious npm and PyPI Packages Pose as Developer Tools to Steal Wallet Credentials
Socket researchers uncovered malicious npm and PyPI packages that steal crypto wallet credentials using Google Analytics and Telegram for exfiltration.
Lazarus Expands Malicious npm Campaign: 11 New Packages Add Malware Loaders and Bitbucket Payloads
Lazarus-linked threat actors expand their npm malware campaign with new RAT loaders, hex obfuscation, and over 5,600 downloads across 11 packages.
Black Basta's Dependency Confusion Ambitions and Ransomware in Open Source Ecosystems
Research uncovers Black Basta's plans to exploit package registries for ransomware delivery alongside evidence of similar attacks already targeting open source ecosystems.
Lazarus Strikes npm Again with New Wave of Malicious Packages
The Socket Research Team has discovered six new malicious npm packages linked to North Korea's Lazarus Group, designed to steal credentials and deploy backdoors.
Typosquatted Go Packages Deliver Malware Loader Targeting Linux and macOS Systems
Malicious Go packages are impersonating popular libraries to install hidden loader malware on Linux and macOS, targeting developers with obfuscated payloads.
Malicious PyPI Package Exploits Deezer API for Coordinated Music Piracy
Socket researchers uncovered a malicious PyPI package exploiting Deezer's API to enable coordinated music piracy through API abuse and C2 server control.
Go Supply Chain Attack: Malicious Package Exploits Go Module Proxy Caching for Persistence
Socket researchers uncovered a backdoored typosquat of BoltDB in the Go ecosystem, exploiting Go Module Proxy caching to persist undetected for years.
North Korean APT Lazarus Targets Developers with Malicious npm Package
Malicious npm package postcss-optimizer delivers BeaverTail malware, targeting developer systems; similarities to past campaigns suggest a North Korean connection.
Topics
.NET AI Security Backdoor BeaverTail Blockchain Botnet Brandjacking Brazil Brute Force Bulletproof Hosting CanisterWorm Chrome Clipper Cloudflare Composer Contagious Interview crates.io Credential Stuffing Critical Infrastructure Crypto Drainer Cryptocurrency Cryptojacker Cryptomining Cursor Cybercrime Dark Web Dependency Confusion Developer Compromise Disinformation Docker Evilginx Exploit Kit Extensions Extortionware Facebook Fraud GitHub Actions GlassWorm Gmail Go Go Modules Google Google Drive Hacktivism HashiCorp Healthcare HexEval Homoglyphs Human Trafficking Impersonation Influence Operations Infostealer Initial Access Brokers InvisibleFerret Java JavaScript Keylogger LinkedIn Loader Maven Central Meta Microsoft Money Laundering Monkey Patching NATO North Korea npm NuGet OAST Obfuscation Open VSX OpenClaw OtterCookie Packagist Phishing PHP Piracy PyPI Python Ransomware RAT Ruby RubyGems Russian Link Rust RustSec SANDWORM_MODE Shai-Hulud Slopsquatting Smart Contracts Social Engineering South Korea Spam Spearphishing Surveillance TeamPCP TruffleHog Typosquatting Türkiye Underground Economy Vietnam VS Code Wagemole Webhook Worm XMRig XORIndex