2026 Edition · Updated June 2026
Every package your developers download is an unsigned trust decision. In 2025 alone, open source registries logged over a million malicious packages. This page documents the scale, the vectors, the cost - and what enterprises are doing about it.
Malicious packages logged since 2017
Source: Sonatype Q1 2026
New malicious package published in Q1 2026
Source: Sonatype Q1 2026
Average cost of a supply chain breach
Source: IBM 2025
Mean time to detect and contain
Source: IBM 2025
Scale
Open source is the substrate of modern software delivery - pulled continuously by pipelines, rebuilt across fleets, consumed at a scale that makes manual oversight impossible. That scale is now the primary attack surface.
"Software supply chains have hit machine scale. Trust at scale is now the central engineering and business challenge of modern software."
Vectors
Supply chain attacks are not a single technique. They are a class of attacks that exploit the trust relationship between developers and the packages they consume. The vectors are evolving faster than most security tooling can track.
Attackers publish packages with names one or two characters off from popular libraries - reqeusts instead of requests, coloers instead of colors. Developers mistype; pipelines install without verifying.
postinstall hooks that execute immediately - exfiltrating CI/CD secrets, tokens, and environment variables in under 100ms.An attacker publishes a package with the same name as your internal package to a public registry at a higher version number. If the developer's environment is not scoped correctly, the public malicious package wins - no typo needed.
Attackers compromise the registry account of a legitimate, trusted maintainer and publish a malicious version of an already-trusted package. They inherit the publisher's reputation, download history, and position in every dependency tree.
[email protected] and [email protected] were released with a hidden dependency on [email protected] - an obfuscated loader using a postinstall hook to deliver a remote access trojan. Axios averages 108.4 million weekly downloads. (Sonatype Q1 2026, OpenSourceMalware.com 2026)1.82.7 and 1.82.8 contained an obfuscated credential stealer targeting API keys, SSH keys, Git credentials, cloud secrets, Kubernetes tokens, Terraform/Helm artifacts, and CI/CD config. (Sonatype Q1 2026)Long-game attacks where a threat actor earns maintainer trust over months or years, then injects malicious code - or compromises the build pipeline directly.
CVE-2024-3094, CVSS 10.0, 2024): A nation-state actor spent ~2 years building a fake developer identity ("Jia Tan"), earned commit access to the XZ compression library, then inserted a backdoor targeting SSH authentication. Caught by a single Microsoft engineer noticing anomalous CPU usage - hours before shipping to Debian and Red Hat stable. (Wired, CrowdStrike 2024)is-buffer, eslint, redux, and React tooling. Sonatype attributed 107 malicious packages to Lazarus Group in Q2 2025 alone - accounting for 30,000+ known downloads. (Sonatype Q2 2025)AI code assistants hallucinate package names that do not exist. Attackers register those hallucinated names with malicious payloads, then wait for AI-generated code to be copied into projects.
events-channel as a live example: an npm package mimicking Node.js's built-in events module, surfaced via LLM hallucination - still live with 168,000 downloads despite being reported (OpenSourceMalware.com, June 2026)Ecosystems
Not all ecosystems carry equal risk. npm leads in raw attack volume. PyPI is growing fastest. But every ecosystem ShieldedStack protects has active, documented malware campaigns.
| Registry | Ecosystem | 2025 Volume | Threat Data | Key Risk |
|---|---|---|---|---|
| npm | JavaScript / Node.js | 4.5T requests | 146,237 malicious packages in OSM database (OpenSourceMalware.com 2026); 75% of Q1 2026 malicious packages (Sonatype); malicious activity more than doubled in 2025 (ReversingLabs) | postinstall hook abuse; ATOs targeting packages with 100M+ weekly downloads. |
| PyPI | Python | 530B requests | 10,940 malicious packages in OSM database (OpenSourceMalware.com 2026); PyPI rate of new malicious package growth now tracks npm velocity (OSM Jan-May 2026); declined 43% in 2025 as npm dominated, but multi-ecosystem campaigns now hit both simultaneously (ReversingLabs 2026) | Permissive name registration; AI/cloud boom driving adoption and attack surface. |
| NuGet | .NET / C# | Enterprise-scale | Rising; enterprise-targeted; stricter verification but dependency confusion documented. | Internal package shadow attacks in enterprise .NET shops. |
| Maven Central | Java | Trillions (combined) | Stricter verification; build pipeline attacks documented; Lazarus Group active. | Transitive depth; one compromised library affects thousands of downstream packages. |
| Cargo | Rust | Rapid growth | Relatively low historical volume, but growing surface and community trust model. | No mandatory code review; namespace growing faster than tooling. |
| Go modules | Go | Rapid growth | Namespace squatting; vanity import path abuse. | Decentralized hosting makes verification harder. |
| RubyGems | Ruby | Mature/stable | Documented campaigns; postinstall hooks exploited. | Many unmaintained gems with accumulated CVEs. |
Cost
The IBM Cost of a Data Breach Report 2025, based on interviews with 600+ organizations breached between March 2024 and February 2025, provides the most rigorous breach cost data available. Supply chain compromise is consistently at the top of both frequency and cost tables.
Average cost of a supply chain compromise breach globally
IBM 2025 - 11% above the global average breach cost of $4.44M
Mean time to identify and contain
IBM 2025 - the longest breach lifecycle of any attack vector IBM tracks
More expensive to remediate than direct first-party breaches
SOCRadar 2025
Global annual cost of software supply chain attacks in 2025
Cybersecurity Ventures - projected to reach $138B by 2031
Share of all breaches attributable to supply chain compromise in 2025
IBM 2025 - a 68% increase over prior year
| Sector | Average breach cost |
|---|---|
| Healthcare | $7.42M (IBM 2025) |
| Financial services | $5.56M (IBM 2025) |
| Industrial / manufacturing | $5.56M (IBM 2025) |
| Defense | $5.46M (IBM 2025) |
"Supply chain compromise surged to become the second most prevalent attack vector at 15% of breaches - and second costliest at $4.91M - behind only malicious insider threats."
Incidents
These are attacks on packages, tools, and libraries your developers used this week.
Starting June 1st: 32 @redhat-cloud-services packages (avg. 80,000 weekly downloads) compromised, expanding to 80+ packages and 286+ malicious versions within days. The same campaign then disabled 73 repositories across Microsoft's Azure, Azure-Samples, microsoft, and MicrosoftDocs GitHub organizations - all within a 105-second window on June 5, 2026.
Source: OpenSourceMalware.com, June 2026
Attackers hijacked the npm publishing account and released [email protected] and [email protected] with a hidden transitive dependency on [email protected] - an obfuscated loader that used a postinstall hook to fetch and execute a remote access trojan with OS-specific launchers for macOS, Windows, and Linux. Axios averages 108.4 million weekly downloads. The attacker needed only to change a transitive dependency, not rewrite the library.
Source: Sonatype Q1 2026, OpenSourceMalware.com 2026
Typosquatted npm packages harvesting npm tokens, GitHub tokens, environment variables, cryptographic keys, and API credentials - plus code to spread into additional repositories and workflows. Included functionality to interact with a local Ollama instance, suggesting early experimentation with self-modifying AI-assisted malware inside compromised environments.
Source: Sonatype Q1 2026
A compromised version of the Trivy security scanner was used to insert malicious code into the LiteLLM library. Malicious PyPI versions 1.82.7 and 1.82.8 contained an obfuscated credential stealer and dropper targeting API keys, SSH keys, Git credentials, cloud secrets, Kubernetes tokens, Terraform/Helm artifacts, and CI/CD config. A trusted security tool became the attack path.
Source: Sonatype Q1 2026
Self-propagating malware that harvested npm and GitHub tokens, then auto-published malicious versions of any accessible packages. First wave compromised 180 packages including @ctrl/tinycolor (2M+ weekly downloads). Second wave expanded to ~800 packages, touching Zapier, ENS Domains, PostHog, and Postman-linked projects. The first registry-native worm.
Source: ReversingLabs 2026, Group-IB 2026
A nation-state actor operated as "Jia Tan" for 2+ years, earned maintainer trust on the XZ compression library, then inserted CVE-2024-3094 (CVSS 10.0) - a backdoor into SSH authentication. Caught hours before shipping to Debian and Red Hat stable by a single engineer noticing anomalous CPU usage. The closest the ecosystem has come to universal infrastructure compromise.
Source: Wired, CrowdStrike 2024
Nation-state actors inserted malicious code into a SolarWinds Orion update, distributed to 18,000+ customers including US federal agencies and Fortune 500 companies. Provided persistent backdoor access for months before detection. The canonical enterprise supply chain attack.
Source: Secureframe
Compliance
EU-based enterprises face binding supply chain security requirements across three frameworks. Non-compliance is a fine risk, not a theoretical one. ShieldedStack is an EU-based company built with these requirements in scope.
Source: codekeeper.co, June 2026
Source: Manifest Cyber, Anchore 2025
Source: codekeeper.co, June 2026
Protection
Dependabot, Snyk, and similar tools are not wrong - they are incomplete. They operate post-download. By the time they alert, the package is already on developer machines, in the CI artifact cache, and potentially executing postinstall hooks.
| Post-Download Scanners | ShieldedStack | |
|---|---|---|
| When it runs | After packages are committed to your repo | Before the package reaches any machine |
| Local developer installs | ✗ Not covered | ✓ Intercepted at download |
| CI restore jobs | ✗ Not covered | ✓ Intercepted at download |
postinstall hook execution | ✗ Already happened | ✓ Package never delivered |
| Novel malware (not yet in CVE DB) | ✗ No signal | ✓ Age-based risk flags new packages |
| Dependency confusion | ✗ Requires config; bypassable | ✓ Enforced at network level |
| SBOM source | ✗ Lock file inference | ✓ Observed actual downloads |
| Ecosystems | ✗ Varies by tool | ✓ All 7 from one console |
postinstall hook executes in milliseconds. A Dependabot PR takes hours to days to reach a developer. ShieldedStack operates at the only moment that matters: before the package lands.See full comparisons: vs Snyk · vs Dependabot · vs JFrog · vs Socket Firewall
Every ecosystem, every environment: dev machines, CI agents, staging. If it is not proxied, it is uncontrolled. A proxy that covers npm but not PyPI is a half-measure - coordinated multi-ecosystem campaigns now hit both simultaneously.
Hard-block Critical and High CVEs in production CI. Alert-only policies do not stop attacks; they document them afterward.
Configuration-level scoping is insufficient. Dependency confusion attacks work precisely because developers trust their tooling. Enforce resolution order at the proxy layer.
Newly published packages (< 7-14 days old, no established download history) carry disproportionate risk. Block or require manual approval for new packages in production pipelines.
Not a point-in-time lock file snapshot. An SBOM based on what actually flowed through your proxy, continuously updated. Required for CRA compliance from September 2026.
Who downloaded what, when, from which environment, blocked or allowed. Required for post-incident review and regulatory reporting.
Any package name surfaced by an LLM coding assistant should be verified against the registry before installation. events-channel had 168,000 downloads before it was flagged. Slopsquatting is confirmed, not theoretical.
The axios compromise arrived through a hidden transitive dependency (plain-crypto-js), not a change to axios itself. Modern JavaScript projects routinely exceed 500 transitive packages.
Get Started
267 days. That is the average time a supply chain breach goes undetected. One package. One postinstall hook. That is all it takes.
ShieldedStack proxies all seven package ecosystems - npm, PyPI, NuGet, Maven, Go, Cargo, and RubyGems - and blocks vulnerable packages before they reach your environment. Setup takes minutes. Coverage is immediate.
Already using Dependabot or Snyk? ShieldedStack fills the gap they cannot cover. See how it compares →
Sources
This page aggregates publicly available research and primary reports. Statistics are attributed to their original sources inline. Where multiple sources report the same metric, we use the most conservative figure unless stated otherwise. This page is updated as new primary data is published.