More threats to software supply chains

Kaspersky reports that, by the end of 2024, a total of 14 000 malicious packages were found in open-source projects, a 48% increase compared to the end of 2023.

A total of 42-million versions of open-source packages were examined by Kaspersky during 2024 in search for vulnerabilities.

In March 2025, the Lazarus Group was reported to have deployed several malicious npm packages, which were downloaded multiple times before removal. These packages contained malware to steal credentials, cryptocurrency wallet data, and deploy backdoors, targeting developers’ systems across Windows, macOS, and Linux.

The attack leveraged GitHub repositories for added legitimacy, highlighting the group’s sophisticated supply chain tactics.

Kaspersky’s GReAT also found other npm packages related to this attack. Malicious npm packages could have been integrated into web development, cryptocurrency platforms, and enterprise software, risking widespread data theft and financial losses.

In 2024, a sophisticated backdoor was discovered in XZ Utils versions 5.6.0 and 5.6.1, a widely used compression library in Linux distributions.

Inserted by a trusted contributor, the malicious code targeted SSH servers, enabling remote command execution and threatening countless systems globally. Detected before widespread exploitation due to performance anomalies, the incident highlighted the dangers of supply chain attacks.

XZ Utils is integral to operating systems, cloud servers, and IoT devices, making its compromise a threat to critical infrastructure and enterprise networks.

In 2024, Kaspersky’s GReAT discovered that attackers uploaded malicious Python packages like chatgpt-python and chatgpt-wrapper to PyPI, mimicking legitimate tools for interacting with ChatGPT APIs. These packages, designed to steal credentials and deploy backdoors, capitalised on the popularity of AI development to trick developers into downloading them.

The packages could have been used in AI development, chatbot integrations, and data analytics platforms, endangering sensitive AI workflows and user data.

“Open-source software is the backbone of many modern solutions, but its openness is being weaponized,” comments Dmitry Galov, head of research centre for Russia and CIS at Kaspersky’s Global Research and Analysis Team. “The 50% rise in malicious packages by the end of 2024 shows attackers are actively embedding sophisticated backdoors and data stealers in popular packages, which millions rely on.

“Without rigorous vetting and real-time monitoring, a single compromised package can trigger a global breach. Organisations need to secure the supply chain before the next XZ Utils-level attack succeeds.”