Threats surge in
supply chains

A surge in malicious activity targeting open-source software repositories poses a growing threat to supply chains.

By the end of 2024, Kaspersky had identified a total of 14,000 malicious packages embedded in open-source projects, a dramatic 48% increase compared to the figures reported at the close of 2023. Over the course of the year, Kaspersky examined 42-million versions of open-source packages, scanning for vulnerabilities that could be exploited by threat actors.

At the 10th annual Cyber Security Weekend – META 2025, hosted by Kaspersky in Thailand last weekend, experts from the company’s Global Research and Analysis Team (GReAT) delivered critical insights into this growing threat. 

Open-source software plays a foundational role in today’s digital ecosystem. It refers to programmes whose source code is freely available for anyone to inspect, modify, and improve. Widely used repositories, such as GoMod, Maven, NuGet, npm, and PyPI, provide developers with easy access to reusable code, accelerating software development across industries. However, this accessibility also creates opportunities for cybercriminals. The same tools that streamline innovation can be weaponised by attackers seeking to compromise critical systems.

One prominent example occurred in March 2025, when the Lazarus Group, a threat actor with a known history of state-sponsored cyber operations, was found to have deployed several malicious npm packages. These packages were downloaded numerous times before they were removed. Hidden within them was malware designed to steal credentials, harvest data from cryptocurrency wallets, and install backdoors on developer systems running Windows, MacOS, and Linux. 

To increase the credibility of these packages, the attackers used GitHub repositories to make them appear legitimate. Kaspersky’s analysts discovered additional related packages that were also part of this coordinated effort. The incident demonstrates the growing sophistication of supply chain attacks and the high risk they pose to sectors ranging from web development to enterprise software.

Another alarming case from 2024 involved the discovery of a backdoor in XZ Utils, a core compression library widely deployed across Linux distributions. Versions 5.6.0 and 5.6.1 of XZ Utils were found to contain malicious code introduced by a contributor who had built a reputation as a trusted member of the open-source community. This backdoor was designed to target SSH servers, enabling remote command execution and putting thousands of systems worldwide at risk. 

Fortunately, it was identified before it could be broadly exploited, thanks to unusual performance patterns noticed by observant users. Still, the incident underscored how even deeply embedded software infrastructure can be vulnerable to manipulation, threatening everything from cloud platforms to IoT networks.

Kaspersky’s GReAT also discovered threats targeting developers working in artificial intelligence. In 2024, attackers uploaded malicious Python packages, such as chatgpt-python and chatgpt-wrapper, to the PyPI repository. These packages mimicked legitimate libraries intended for interacting with ChatGPT APIs but were designed to steal credentials and install backdoors. 

By exploiting the popularity of AI tools and the trust developers place in open-source ecosystems, attackers aimed to infiltrate AI-driven applications, chatbot frameworks, and data analytics platforms. Had these packages gone unnoticed, they could have compromised sensitive user data and undermined the integrity of AI workflows.

To help organisations and developers protect themselves from similar threats, Kaspersky recommends the following measures:

• Implement open-source monitoring solutions: Use tools that continuously track and evaluate the open-source components used in your software. These solutions can help detect hidden threats before they cause damage.
• Conduct compromise assessments: If there is any reason to believe that a threat actor may have accessed your organisation’s infrastructure, it is critical to perform a thorough compromise assessment. Kaspersky offers such services to uncover past or ongoing attacks.
• Verify package maintainers: Always investigate the credibility of package maintainers or the organisations behind them. Look for signs of legitimacy, such as a consistent release history, well-maintained documentation, and active community engagement through issue trackers or discussion forums.
• Stay informed on emerging threats: Subscribe to security advisories, bulletins, and alerts specific to the open-source ecosystem. Early awareness can dramatically improve an organisation’s ability to respond to new vulnerabilities.

As the open-source community continues to drive technological progress, it is clear that its openness must be matched with equally robust security practices. The increasing frequency and sophistication of supply chain attacks demonstrate that the risks are no longer theoretical, they are already unfolding, and they demand immediate, coordinated action.

* Sheryl Goldstuck is general manager of World Wide Worx and editor of GadgetWheels. Follow her on Bluesky on @crazycatbuzz.bsky.social.