According to Kaspersky telemetry, almost 19 500 malicious packages were found in open-source projects by the end of 2025, representing a 37% increase compared to the end of 2024.
Modern software development is inseparable from open-source components.
However, open-source software may contain intentionally hidden threats which can leave the products that use malicious packages vulnerable to manipulation, including supply chain attacks.
According to a new Kaspersky global study, supply chain attacks have emerged as the most common cyberthreat facing businesses over the past year.
A number of high‑profile supply chain attacks have emerged recently:
- In April 2026, the official website for CPU-Z and HWMonitor, free tools used by hardware enthusiasts, IT administrators and system builders worldwide to monitor hardware performance was compromised, silently replacing legitimate software downloads with malware-laced installers. Analysis from Kaspersky GReAT showed that the compromise window was approximately 19 hours. Kaspersky telemetry detected that more than 150 victims across multiple countries faced this attack. The majority were individual users, which is consistent with the consumer-facing nature of the compromised software. Affected organisations spanned retail, manufacturing, consulting, telecommunications and agriculture.
- In March 2026, Axios, one of the most widely used JavaScript HTTP clients, was compromised. The attackers hijacked a maintainer’s account and published poisoned versions of the package (1.14.1 and 0.30.4). The malicious releases contained no harmful code in Axios itself but introduced a phantom dependency that deployed a cross-platform RAT, contacted a C&C server, and then erased traces of itself for macOS, Windows and Linux. Both versions were removed within hours, and the dependency was quickly put under a security hold. Kaspersky GReAT confirmed that the attack was not standalone – it shared tactics, techniques and procedures with Bluenoroff’s GhostCall and GhostHire campaigns, presented at the Security Analyst Summit in 2025.
- In February 2026, the developers of Notepad++, a widely used open-source text and code editor, disclosed that their infrastructure had been compromised due to a hosting provider incident. Kaspersky GReAT researchers discovered that attackers behind the Notepad++ supply chain compromise had used at least three distinct infection chains and targeted a government organisation in the Philippines, a financial institution in El Salvador, an IT service provider in Vietnam and individuals across several countries.
“According to our survey, 31% of enterprise businesses have been impacted by a supply chain attack in the past 12 months,” comments Dmitry Galov, Head of Kaspersky GReAT Russia and CIS. “Nevertheless, the security level of open‑source projects is not necessarily lower than that of proprietary-vendor solutions.
“In some cases, an active open‑source community can quickly discover and remediate vulnerabilities, whereas proprietary systems often rely on internal teams for audits.
“The open‑source community strives to monitor emerging risks, cybersecurity specialists conduct researches to find vulnerabilities and malicious code in open‑source software, promptly notifying their users and the community.
“Completely eliminating the potential risks is impossible, but they can be minimised also with the help of security solutions and automated code‑analysis tools,”.