Open-Source Supply-Chain Risk Amplified by AI-Accelerated Development and Automation
Software supply-chain compromise continued to blend into normal development activity, with attackers exploiting the speed and trust of modern workflows—third-party dependencies, automated updates, and rapid release cycles—to distribute malware and steal credentials. A ReversingLabs study covering 2025 open-source ecosystems reported npm as the dominant distribution channel for malicious packages, including incidents where attackers compromised maintainer accounts and shipped tainted updates that propagated quickly into downstream projects via routine dependency updates and CI/CD processes.
One highlighted case was the Shai-hulud worm, described as a registry-native, self-propagating threat that used stolen credentials to inject malicious code into hundreds of packages, exposing tens of thousands of downstream repositories and complicating detection because it did not rely on external infrastructure. In parallel, commentary on generative AI’s impact on software delivery emphasized that faster code production and release pressure can increase security debt: reported industry claims that 20–30% of code at major firms is AI-generated, alongside estimates that a large share of AI-generated code can introduce OWASP Top 10-class weaknesses, reinforcing the need for stronger testing and controls as development velocity increases.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
7 events from the most recent confirmed update back to the earliest known activity.
Vanta discloses customer data exposure caused by a code change
Compliance company Vanta experienced a customer data exposure incident that the reference says was caused by an erroneous code change rather than malicious attacker activity. The incident is cited as an example of how routine software changes can create security impact when insufficiently validated.
Tricentis reports organizations ship changes without full testing
A 2025 Tricentis report cited in the reference said many organizations released software changes without fully testing them because of delivery pressure. The report linked this practice to missed issues such as misconfigurations and data isolation failures.
Supply chain risk expands into AI/ML tooling and model artifacts
The ReversingLabs findings also noted emerging software supply chain risk in AI and machine learning tooling and model artifacts during 2025. This marked an expansion of supply chain concerns beyond traditional package ecosystems.
Developer secrets remain widely exposed in software packages
The reference says exposed API keys, tokens, and other developer secrets remained a persistent issue during 2025. These leaked secrets enabled follow-on attacks once malicious code reached build and development environments.
PyPI and NuGet malware detections decline amid stronger controls
The ReversingLabs study reported that malware detections in PyPI and NuGet declined during 2025. The article attributes this reduction to stronger platform protections and tighter publishing controls on those repositories.
Shai-hulud worm spreads through npm using stolen credentials
During 2025, the Shai-hulud worm allegedly used stolen credentials to self-propagate in the npm registry, injecting malicious code into hundreds of packages. The campaign reportedly affected tens of thousands of downstream repositories through the software supply chain.
ReversingLabs observes widespread open-source supply chain abuse during 2025
A ReversingLabs study summarized in the reference found that throughout 2025, attackers increasingly abused normal development workflows in open-source ecosystems. npm was identified as the dominant channel for malicious packages, including cases involving compromised maintainer accounts and rapid spread through automated dependency tooling.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Software Supply Chain Threats Targeting Open-Source Ecosystems and Developer Tooling
Open-source software supply chain risk continued to escalate, with reporting citing **454,600+** newly identified malicious packages across major repositories (including **PyPI, npm, Maven Central, NuGet, and Hugging Face**) and tactics ranging from **credential theft** to **multi-stage attacks** and even early **self-replicating** package malware. The activity reportedly concentrated heavily in **npm**, including high-volume “ecosystem flooding” (e.g., single accounts publishing **150,000+** malicious packages in days) and **hijacking of trusted projects**, exploiting developer reliance on superficial trust signals such as package names, READMEs, and download counts. Separately, researchers disclosed **“PackageGate”** vulnerabilities in JavaScript package managers (**npm, pnpm, vlt, and Bun**) that can bypass common post-incident defenses—namely `--ignore-scripts` and lockfile integrity—enabling malicious code execution via compromised dependencies. Koi Security reported six issues; **pnpm, vlt, and Bun** shipped fixes, while **npm** reportedly treated the behavior as expected. In parallel, threat actors abused **GitHub’s fork architecture** to distribute a spoofed *GitHub Desktop* installer promoted via search ads; execution deployed **HijackLoader** and established persistence via a **scheduled task**, underscoring that supply chain threats extend beyond package registries into developer tooling distribution channels.
Mar 21, 2026
Malicious open-source packages and developer-targeted supply chain attacks
Security researchers reported multiple **software supply chain** threats targeting developers via public package ecosystems. Tenable analyzed a malicious npm package, **`ambar-src`**, that reached roughly **50,000 downloads** in days before removal; it executed during installation via **malicious `preinstall` behavior**, used evasion techniques, and dropped OS-specific payloads for Windows, Linux, and macOS, with typosquatting assessed as the likely lure (mimicking *`ember-source`*). Separate reporting described a campaign using **malicious NuGet packages** (e.g., **NCryptYo**, **DOMOAuth2_**, **IRAOAuth2.0**, **SimpleWriter_**) that impersonated legitimate .NET libraries, executed code on assembly load, and established local proxying/backdoor behavior to facilitate credential theft and persistence in ASP.NET environments. Additional coverage warned of an npm “worm-like” propagation pattern impacting **CI pipelines and AI coding tools**, reinforcing that developer tooling and build systems are high-risk choke points where a single poisoned dependency can spread quickly across environments. While the broader set of articles also included unrelated breach, ransomware, and policy items, the developer-focused supply chain reporting consistently emphasized that **installation-time execution** and **typosquatting/impersonation** enable compromise even when developers never directly call the malicious code, and that traditional detection can lag (e.g., low initial antivirus detection rates for obfuscated .NET payloads).
Mar 21, 2026
Software Supply Chain Risk in Package Managers, Including AI-Driven Slopsquatting
ENISA published a March 2026 technical advisory on the **secure use of package managers**, warning that modern development workflows (e.g., *npm*, *pip*, *Maven*) can pull in far more code than developers expect due to direct and transitive dependency resolution. The advisory highlights how applications inherit large dependency graphs—often including unused modules—that still introduce vulnerabilities, maintenance and provenance risk, and expanded trust assumptions across the software supply chain. ENISA recommends secure practices for selecting, integrating, monitoring, and remediating vulnerable third-party dependencies as part of the SDLC. Separately, security researchers and industry commentary describe **slopsquatting**, a supply-chain technique that exploits AI coding assistants’ tendency to hallucinate plausible-but-nonexistent package names. Attackers can register those “phantom” names in public repositories and publish packages that appear to match the expected functionality while embedding malicious payloads, turning AI-generated suggestions into a predictable package-name acquisition strategy. The risk is positioned as distinct from typosquatting (human error) and is framed as requiring additional detection approaches beyond traditional controls, including more behavioral and validation-focused checks before adopting AI-suggested dependencies.
Mar 21, 2026