What Happened
By the end of Q2 2026, Sonatype Research logged 1.8 million malicious packages across public registries. This wasn't a single sophisticated attack. It was industrial-scale pollution of the software supply chain. npm bore the brunt with 96.6% of malicious packages, while PyPI and NuGet split 87% of the remaining non-npm activity.
Attackers have moved beyond crafting individual malicious packages. They're now running automated campaigns that flood registries with variations of the same payload, testing detection systems, and exploiting the trust developers place in package ecosystems.
Timeline
Q1 2026: Background malware activity continues at established levels across major package registries.
Q2 2026: Malicious package submissions accelerate. Automated campaigns begin flooding npm with typosquatted packages and dependency confusion attempts.
End of Q2 2026: Sonatype Research records 1.8 million total malicious packages, marking a clear shift from targeted attacks to volume-based ecosystem abuse.
The timeline matters less than the trend. This isn't about when it happened. It's about recognizing that attackers have automated their entire workflow.
Which Controls Failed or Were Missing
Registry-Level Validation
npm's automated publishing pipeline allowed attackers to submit packages at scale without meaningful human review. The registry relied on post-publication detection rather than pre-publication validation. When thousands of packages can be published per hour, detection becomes a losing game.
Developer Dependency Verification
Most development teams lacked tools to verify package integrity before installation. They trusted that npm install would pull safe code. There was no signature verification, hash checking, or automated scanning in CI/CD pipelines before packages hit developer machines.
Namespace Protection
Organizations didn't claim their internal package names in public registries. An attacker could publish @yourcompany/auth-utils to npm before your team realized the namespace was unprotected. Dependency confusion attacks succeeded because teams assumed their private package names were inherently private.
Runtime Monitoring
Even when malicious packages made it into builds, teams had no visibility into what those packages did at runtime. Install scripts ran with full privileges. Network calls went unmonitored. File system access wasn't logged.
What the Relevant Standards Require
NIST 800-53 Rev 5 SA-10: Developer Configuration Management
Requires organizations to "employ configuration management throughout the system development life cycle" and maintain "configuration control of developer-provided code." This includes tracking and controlling changes to software components, including third-party dependencies.
Your team needs documented procedures for:
- Approving new dependencies before they enter your codebase
- Maintaining an inventory of all third-party packages with version numbers
- Reviewing dependency updates before merging them
PCI DSS v4.0.1 Requirement 6.3.2
States that "security vulnerabilities are identified and addressed" through vulnerability scans and security testing. For organizations handling payment data, this extends to scanning dependencies for known malware before deployment.
You must:
- Run automated dependency scans in your CI/CD pipeline
- Block builds that include packages with known vulnerabilities or malicious indicators
- Document your dependency approval and scanning process
ISO/IEC 27001:2022 A.8.30: Outsourced Development
Addresses risks from external code, requiring organizations to "supervise and monitor" outsourced development activities. Open source packages are outsourced development, you're running code written by strangers.
Your controls should include:
- Vetting packages before first use (checking maintainer history, download counts, recent activity)
- Monitoring packages for ownership changes or unusual updates
- Having a rollback plan when a trusted package becomes compromised
OWASP ASVS v4.0.3 V14.2: Dependency
Requires that "all components, libraries, and frameworks are from trusted sources" and that you maintain "an inventory of all third-party components." It also calls for verifying that dependencies "do not contain known vulnerabilities."
Practically, this means:
- Lock files committed to version control (package-lock.json, requirements.txt)
- Automated tools that alert on new vulnerabilities in your dependency tree
- A defined process for updating or replacing vulnerable dependencies
Lessons and Action Items for Your Team
Claim Your Namespace
Register your organization's name and common internal package names in public registries, even if you never publish to them. For npm, claim @yourcompany. For PyPI, register yourcompany-* variants. This costs nothing and prevents dependency confusion attacks.
Implement Pre-Commit Dependency Scanning
Don't wait until CI/CD to catch malicious packages. Run npm audit or equivalent tools before developers commit dependency changes. Better yet, use pre-commit hooks that block commits adding packages with known issues.
Lock Down Install Scripts
Package install scripts (postinstall, preinstall) run arbitrary code on your developers' machines and build servers. Configure your package manager to block or prompt before running install scripts. In npm, use --ignore-scripts by default and explicitly allow trusted packages.
Monitor Package Ownership Changes
Set up alerts for when packages you depend on change maintainers. Tools like Socket.dev and Snyk track maintainer changes. When a package transfers ownership, review the new maintainer's history before accepting updates.
Separate Build Environments from Production Secrets
If a malicious package makes it into your build, it shouldn't have access to production credentials. Use separate service accounts for CI/CD with minimal permissions. Rotate credentials that might have been exposed in development environments.
Maintain a Private Registry Mirror
For critical dependencies, mirror approved versions to a private registry. This gives you control over what versions your team can install and creates an air gap between public registries and your production systems. When the public registry gets flooded with malicious packages, your builds keep working with known-good versions.
The 1.8 million packages logged in Q2 2026 represent a permanent shift. Attackers have industrialized malware distribution through open source ecosystems. Your response needs to be equally systematic, not just scanning for known threats, but building controls that assume every new dependency is potentially hostile until proven otherwise.



