Software Supply Chain Threats Targeting Open-Source Ecosystems and Developer Tooling
Open-source software supply chain risk continued to escalate, with reporting citing 454,600+ newly identified malicious packages across major repositories (including PyPI, npm, Maven Central, NuGet, and Hugging Face) and tactics ranging from credential theft to multi-stage attacks and even early self-replicating package malware. The activity reportedly concentrated heavily in npm, including high-volume “ecosystem flooding” (e.g., single accounts publishing 150,000+ malicious packages in days) and hijacking of trusted projects, exploiting developer reliance on superficial trust signals such as package names, READMEs, and download counts.
Separately, researchers disclosed “PackageGate” vulnerabilities in JavaScript package managers (npm, pnpm, vlt, and Bun) that can bypass common post-incident defenses—namely --ignore-scripts and lockfile integrity—enabling malicious code execution via compromised dependencies. Koi Security reported six issues; pnpm, vlt, and Bun shipped fixes, while npm reportedly treated the behavior as expected. In parallel, threat actors abused GitHub’s fork architecture to distribute a spoofed GitHub Desktop installer promoted via search ads; execution deployed HijackLoader and established persistence via a scheduled task, underscoring that supply chain threats extend beyond package registries into developer tooling distribution channels.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
7 events from the most recent confirmed update back to the earliest known activity.
Sonatype reports surge in malicious open-source packages in 2025
Sonatype's State of the Software Supply Chain report said more than 454,600 new malicious open-source packages were identified during 2025 across ecosystems including npm, PyPI, Maven Central, NuGet, and Hugging Face.
Fake GitHub Desktop installer campaign delivers HijackLoader
Researchers reported a malware campaign using search-result ads and spoofed GitHub Desktop installers hosted through abused GitHub forks. The trojanized installer deploys HijackLoader and creates a scheduled task for persistence.
Koi publicly discloses PackageGate vulnerabilities
After vendor responses, Koi publicly disclosed the PackageGate issues affecting major JavaScript package managers and warned users to reassess mitigations and alternatives.
npm classifies reported PackageGate behavior as expected
Koi said npm closed its report without issuing a fix, describing the behavior as "expected behavior" despite the demonstrated bypass technique involving malicious git dependencies.
pnpm, vlt, and Bun fix PackageGate issues
According to Koi, pnpm, vlt, and Bun remediated the reported PackageGate vulnerabilities within weeks of disclosure to the vendors.
PackageGate flaws reported to npm, pnpm, vlt, and Bun
Koi researchers reported six zero-day "PackageGate" vulnerabilities affecting npm, pnpm, vlt, and Bun, showing that lifecycle-script blocking and lockfiles could be bypassed for supply-chain attacks and code execution.
PhantomRaven npm campaign detected in the wild
Koi said the "PhantomRaven" campaign was detected in October and used RDD to evade scanners while reaching more than 86,000 downloads, showing real-world abuse of package-manager weaknesses.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
Open source malware surges in 2025 | SC Media
scworld.com
Open sourceGitHub Desktop installer spoofed for malware delivery | SC Media
scworld.com
Open sourcePackageGate bugs let attackers bypass protections in NPM, PNPM, VLT, and Bun
securityaffairs.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Malicious open-source packages and developer-targeted supply chain attacks
Security researchers reported multiple **software supply chain** threats targeting developers via public package ecosystems. Tenable analyzed a malicious npm package, **`ambar-src`**, that reached roughly **50,000 downloads** in days before removal; it executed during installation via **malicious `preinstall` behavior**, used evasion techniques, and dropped OS-specific payloads for Windows, Linux, and macOS, with typosquatting assessed as the likely lure (mimicking *`ember-source`*). Separate reporting described a campaign using **malicious NuGet packages** (e.g., **NCryptYo**, **DOMOAuth2_**, **IRAOAuth2.0**, **SimpleWriter_**) that impersonated legitimate .NET libraries, executed code on assembly load, and established local proxying/backdoor behavior to facilitate credential theft and persistence in ASP.NET environments. Additional coverage warned of an npm “worm-like” propagation pattern impacting **CI pipelines and AI coding tools**, reinforcing that developer tooling and build systems are high-risk choke points where a single poisoned dependency can spread quickly across environments. While the broader set of articles also included unrelated breach, ransomware, and policy items, the developer-focused supply chain reporting consistently emphasized that **installation-time execution** and **typosquatting/impersonation** enable compromise even when developers never directly call the malicious code, and that traditional detection can lag (e.g., low initial antivirus detection rates for obfuscated .NET payloads).
Mar 21, 2026
Software Supply-Chain Attacks Abusing GitHub and npm Dependency Mechanisms
Security researchers reported two distinct software supply-chain abuse paths that can make malicious code appear to originate from trusted sources. GMO Cybersecurity by Ierae described an active campaign dubbed **“repo squatting”** that abuses how GitHub renders and links commits from forks: a commit made in an attacker-controlled fork can be viewed under the upstream project’s URL structure, enabling convincing links like `github.com/<official-org>/<repo>/commit/<hash>` that appear to belong to the official repository. The campaign targeted the *GitHub Desktop* project by distributing a trojanized installer carrying **HijackLoader**, with the malicious download link presented in a way that could mislead users and some security tooling into believing it came from the official repo. Separately, Koi researchers disclosed **PackageGate** weaknesses in JavaScript dependency tooling that allow bypassing npm’s post–**Shai-Hulud** mitigations when installing **Git-based dependencies**. They reported that a malicious `.npmrc` in a Git dependency can override the `git` binary path, enabling **code execution even when lifecycle scripts are disabled** (e.g., `--ignore-scripts=true`), affecting multiple tools (including *pnpm*, *vlt*, *Bun*, and *npm*). Vendors reportedly addressed the issue in the non-npm tools, while npm closed the report as “works as expected,” and researchers cited evidence of prior proof-of-concept abuse (e.g., reverse shell) indicating practical exploitation risk for organizations relying on Git dependencies in CI/CD and developer environments.
Mar 21, 2026
Supply Chain Risks in GitHub and npm Package Ecosystems
Recent analysis has revealed a critical security flaw in how package managers such as npm, Bun, and PyPI handle dependencies sourced directly from GitHub repositories. When specifying a dependency using a commit SHA, if that SHA exists in a forked repository, the package manager may pull code from the fork rather than the intended source, allowing attackers to inject malicious code by manipulating forks. This vulnerability is exacerbated by the lack of visibility into GitHub's internal network of forks, making it difficult for security tools and registries to detect or warn about such attacks, as demonstrated by incidents involving actors like Shai Hulud. In parallel, AWS Security has reported on their response to recent large-scale npm supply chain threat campaigns, including the Nx package compromise, the Shai-Hulud worm, and a token-farming campaign that resulted in over 150,000 malicious packages being identified. These incidents highlight the growing sophistication and scale of attacks targeting open-source software supply chains, and underscore the need for improved detection, response workflows, and collaboration across the security community to mitigate these evolving threats.
Mar 21, 2026