NEWS > April 2026
|
Sonatype Releases Q1 2026 Open Source Malware Index: Trust Abuse Most Successful Attack Vector April 14, 2026 - Sonatype the leader in AI-driven DevSecOps, today unveiled the Q1 2026 Open Source Malware Index, identifying 21,764 malicious open source packages in the first quarter of the year and bringing the total logged since 2017 to 1,346,867. The npm registry continues to be the target of most new malicious attacks, at 75%, with the quarter defined by credential theft, host reconnaissance, and staged payload delivery aimed at developer and CI/CD environments. “The biggest open source attacks in Q1 didn’t win because they were novel. They won because they abused trust already built into the software lifecycle — trusted package names, trusted tools, and trusted release workflows,” said Brian Fox, Co-founder and CTO of Sonatype. “That’s what makes modern supply chain attacks more dangerous: the problem is no longer just spotting something suspicious, it’s knowing when something familiar has been turned against you.” Trust Abuse, Not Novelty, Defined the Most Successful Q1 Attacks In the first three months of 2026, Sonatype observed the equivalent of one malicious package every six minutes. But the bigger story was how those attacks succeeded. Rather than relying on obvious deception, attackers increasingly used plausible packages, compromised release paths, and trusted software to gain access. Incidents such as the axios compromise and the Trivy/LiteLLM campaign showed how small changes inside trusted packages and release workflows can create outsized downstream risk. Developer and CI/CD Environments: Primary Targets for Access, Persistence, and Reuse The report found that 22% (~4,900) of Q1 malware exfiltrated host information, 19% (~4,200) stole secrets, and 16% (~3,500) set the stage for secondary payloads — clear signals that attackers are targeting developer machines and software delivery infrastructure for reusable access. These campaigns were built to capture tokens, keys, cloud credentials, and other secrets that can be reused across repositories, build systems, and production environments. SANDWORM_MODE, in particular, highlighted how open source malware is becoming more adaptive and better suited to spreading through developer and CI environments. npm Remained the Dominant Ecosystem for Malware Distribution and Downstream Reach With npm seeing the equivalent of 46 malicious packages per day, the JavaScript ecosystem remained the leading distribution channel for open source malware in Q1. PyPI saw 18% of total malware in Q1, with other registries significantly lower, signaling that attackers are concentrating on the ecosystems that offer the greatest scale, speed, and downstream reach. For defenders, that means the most widely used registries remain some of the most attractive channels for malware delivery. Backed by Sonatype’s industry-leading security research team, Sonatype Repository Firewall helped customers prevent 136,107 open source malware attacks in Q1. To explore the full findings from the Q1 2026 Open Source Malware Index and access additional software supply chain guidance, visit Sonatype Guide. Sonatype solutions are available in UK through Simple IT Distribution LTD, Sonatype Partner in the UK.
About Simple IT Distribution LTD Simple IT Distribution LTD is backed by 10 years of experience in Value Added IT Distribution. What sets us apart from the crowd is our customer-centric approach, the quality services (consulting, implementation, training, support), and the people behind them, which are experienced and certified proffessionals. We provide sales and technical advice and deliver the solutions that best meed our customers' diverse technology needs. Our partners are hand-picked from the top vendors, and we back up their solutions with certified professionals, to give you nothing but the best. For more information, please visit www.simpleit-distribution.co.uk . |
