According to Kaspersky telemetry, almost 19,500 malicious packages were found in open-source projects by the end of 2025, representing a 37% increase compared to the end of 2024.
Modern software development is inseparable from open-source components. However, open-source software may contain intentionally hidden threats which can leave the products that use malicious packages vulnerable to manipulation, including supply chain attacks. According to a new Kaspersky global study, supply chain attacks have emerged as the most common cyberthreat facing businesses over the past year.
Kaspersky reminds about high‑profile supply chain attacks that have emerged recently:
- In April 2026, the official
website for CPU-Z and HWMonitor, free tools used by hardware enthusiasts,
IT administrators and system builders worldwide to monitor hardware
performance was compromised, silently replacing legitimate software
downloads with malware-laced installers. Analysis from Kaspersky GReAT
showed that the compromise window was approximately 19 hours. Kaspersky telemetry detected
that more than 150 victims across multiple countries faced this attack.
The majority were individual users, which is consistent with the
consumer-facing nature of the compromised software. Affected organizations
spanned retail, manufacturing, consulting, telecommunications and
agriculture.
- In March 2026, Axios, one of
the most widely used JavaScript HTTP clients, was compromised. The
attackers hijacked a maintainer’s account and published poisoned versions
of the package (1.14.1 and 0.30.4). The malicious releases contained no
harmful code in Axios itself but introduced a phantom dependency that
deployed a cross-platform RAT, contacted a C&C server, and then erased
traces of itself for macOS, Windows and Linux. Both versions were removed
within hours, and the dependency was quickly put under a security hold.
Kaspersky GReAT confirmed that the attack was not standalone – it shared
tactics, techniques and procedures with Bluenoroff’s GhostCall and
GhostHire campaigns, presented at the Security
Analyst Summit in 2025.
- In February 2026, the developers of Notepad++, a widely used open-source text and code editor, disclosed that their infrastructure had been compromised due to a hosting provider incident. Kaspersky GReAT researchers discovered that attackers behind the Notepad++ supply chain compromise had used at least three distinct infection chains and targeted a government organization in the Philippines, a financial institution in El Salvador, an IT service provider in Vietnam and individuals across several countries.
“According to our survey, 31% of enterprise businesses have been impacted by a supply chain attack in the past 12 months. Nevertheless, the security level of open‑source projects is not necessarily lower than that of proprietary-vendor solutions. In some cases, an active open‑source community can quickly discover and remediate vulnerabilities, whereas proprietary systems often rely on internal teams for audits. The open‑source community strives to monitor emerging risks, cybersecurity specialists conduct researches to find vulnerabilities and malicious code in open‑source software, promptly notifying their users and the community. Completely eliminating the potential risks is impossible, but they can be minimized also with the help of security solutions and automated code‑analysis tools,” comments Dmitry Galov, Head of Kaspersky GReAT Russia and CIS.
To stay safe, Kaspersky recommends:
- Using a solution, like Kaspersky Open Source Software Threats Data Feed, for monitoring the used open-source components in order to detect the threats that might be hidden inside.
- Ensuring continuous monitoring. Use solutions like XDR or MXDR, which are part of the Kaspersky Next product line, for real-time infrastructure monitoring and detecting anomalies in software and network traffic, depending on the availability of in-house staff members capable of carrying out such a monitoring.
- Staying informed on emerging threats: subscribe to security bulletins and advisories related to the open-source ecosystem. The earlier you know about a threat, the faster you can respond.
- Developing an incident response plan. Make sure it covers supply chain attacks and includes steps to quickly identify and contain breaches — for example by disconnecting the supplier from company systems.
- Collaborating with suppliers on security issues. This strengthens protection on both sides and make it a shared priority.
About the Global Research & Analysis Team
Established in 2008, Global Research & Analysis Team (GReAT)
operates at the very heart of Kaspersky, uncovering APTs, cyber-espionage
campaigns, major malware, ransomware and underground cyber-criminal trends
across the world. Today GReAT consists of 35+ experts working globally – in
Europe, Russia, Latin America, Asia and the Middle East. Talented security
professionals provide company leadership in anti-malware research and
innovation, bringing unrivaled expertise, passion and curiosity to the
discovery and analysis of cyberthreats.
