According to Kaspersky telemetry, almost 19,500 malicious packages were found in open-source projects by the end of 2025, representing a 37% increase compared to the end of 2024.
Modern software development is inseparable from open-source components. However, open-source software may contain intentionally hidden threats which can leave the products that use malicious packages vulnerable to manipulation, including supply chain attacks. According to a new Kaspersky global study, supply chain attacks have emerged as the most common cyberthreat facing businesses over the past year.
Kaspersky also reminded us about high‑profile supply chain attacks that have emerged recently:
- In April 2026, the official website for CPU-Z and HWMonitor, free tools used by hardware enthusiasts, IT administrators and system builders worldwide to monitor hardware performance was compromised, silently replacing legitimate software downloads with malware-laced installers. Analysis from Kaspersky GReAT showed that the compromise window was approximately 19 hours. Kaspersky telemetry detected that more than 150 victims across multiple countries faced this attack. The majority were individual users, which is consistent with the consumer-facing nature of the compromised software. Affected organisations spanned retail, manufacturing, consulting, telecommunications and agriculture.
- In March 2026, Axios, one of the most widely used JavaScript HTTP clients, was compromised. The attackers hijacked a maintainer’s account and published poisoned versions of the package (1.14.1 and 0.30.4). The malicious releases contained no harmful code in Axios itself but introduced a phantom dependency that deployed a cross-platform RAT, contacted a C&C server, and then erased traces of itself for macOS, Windows and Linux. Both versions were removed within hours, and the dependency was quickly put under a security hold. Kaspersky GReAT confirmed that the attack was not standalone – it shared tactics, techniques and procedures with Bluenoroff’s GhostCall and GhostHire campaigns, presented at the Security Analyst Summit in 2025.
- In February 2026, the developers of Notepad++, a widely used open-source text and code editor, disclosed that their infrastructure had been compromised due to a hosting provider incident. Kaspersky GReAT researchers discovered that attackers behind the Notepad++ supply chain compromise had used at least three distinct infection chains and targeted a government organization in the Philippines, a financial institution in El Salvador, an IT service provider in Vietnam and individuals across several countries.
“According to our survey, 31% of enterprise businesses have been impacted by a supply chain attack in the past 12 months. Nevertheless, the security level of open‑source projects is not necessarily lower than that of proprietary-vendor solutions. In some cases, an active open‑source community can quickly discover and remediate vulnerabilities, whereas proprietary systems often rely on internal teams for audits. The open‑source community strives to monitor emerging risks, cybersecurity specialists conduct researches to find vulnerabilities and malicious code in open‑source software, promptly notifying their users and the community. Completely eliminating the potential risks is impossible, but they can be minimised also with the help of security solutions and automated code‑analysis tools”, comments Dmitry Galov, Head of Kaspersky GReAT Russia and CIS.
To stay safe, Kaspersky recommends:
- Using a solution, like Kaspersky Open Source Software Threats Data Feed, for monitoring the used open-source components in order to detect the threats that might be hidden inside.
- Ensuring continuous monitoring. Use solutions like XDR or MXDR, which are part of the Kaspersky Next product line, for real-time infrastructure monitoring and detecting anomalies in software and network traffic, depending on the availability of in-house staff members capable of carrying out such a monitoring.
- Staying informed on emerging threats: subscribe to security bulletins and advisories related to the open-source ecosystem. The earlier you know about a threat, the faster you can respond.
- Developing an incident response plan. Make sure it covers supply chain attacks and includes steps to quickly identify and contain breaches — for example by disconnecting the supplier from company systems.
- Collaborating with suppliers on security issues. This strengthens protection on both sides and make it a shared priority.
Image Credit: Kaspersky
Source: Tahawul Tech