Skip to main content
1.8M Malicious Packages in Six MonthsIncident
4 min readFor Security Engineers

1.8M Malicious Packages in Six Months

What Happened

By the end of Q2 2026, Sonatype Research logged 1.8 million malicious packages across public registries. This wasn't a single sophisticated attack. It was industrial-scale pollution of the software supply chain. npm bore the brunt with 96.6% of malicious packages, while PyPI and NuGet split 87% of the remaining non-npm activity.

Attackers have moved beyond crafting individual malicious packages. They're now running automated campaigns that flood registries with variations of the same payload, testing detection systems, and exploiting the trust developers place in package ecosystems.

Timeline

Q1 2026: Background malware activity continues at established levels across major package registries.

Q2 2026: Malicious package submissions accelerate. Automated campaigns begin flooding npm with typosquatted packages and dependency confusion attempts.

End of Q2 2026: Sonatype Research records 1.8 million total malicious packages, marking a clear shift from targeted attacks to volume-based ecosystem abuse.

The timeline matters less than the trend. This isn't about when it happened. It's about recognizing that attackers have automated their entire workflow.

Which Controls Failed or Were Missing

Registry-Level Validation

npm's automated publishing pipeline allowed attackers to submit packages at scale without meaningful human review. The registry relied on post-publication detection rather than pre-publication validation. When thousands of packages can be published per hour, detection becomes a losing game.

Developer Dependency Verification

Most development teams lacked tools to verify package integrity before installation. They trusted that npm install would pull safe code. There was no signature verification, hash checking, or automated scanning in CI/CD pipelines before packages hit developer machines.

Namespace Protection

Organizations didn't claim their internal package names in public registries. An attacker could publish @yourcompany/auth-utils to npm before your team realized the namespace was unprotected. Dependency confusion attacks succeeded because teams assumed their private package names were inherently private.

Runtime Monitoring

Even when malicious packages made it into builds, teams had no visibility into what those packages did at runtime. Install scripts ran with full privileges. Network calls went unmonitored. File system access wasn't logged.

What the Relevant Standards Require

NIST 800-53 Rev 5 SA-10: Developer Configuration Management

Requires organizations to "employ configuration management throughout the system development life cycle" and maintain "configuration control of developer-provided code." This includes tracking and controlling changes to software components, including third-party dependencies.

Your team needs documented procedures for:

  • Approving new dependencies before they enter your codebase
  • Maintaining an inventory of all third-party packages with version numbers
  • Reviewing dependency updates before merging them

PCI DSS v4.0.1 Requirement 6.3.2

States that "security vulnerabilities are identified and addressed" through vulnerability scans and security testing. For organizations handling payment data, this extends to scanning dependencies for known malware before deployment.

You must:

  • Run automated dependency scans in your CI/CD pipeline
  • Block builds that include packages with known vulnerabilities or malicious indicators
  • Document your dependency approval and scanning process

ISO/IEC 27001:2022 A.8.30: Outsourced Development

Addresses risks from external code, requiring organizations to "supervise and monitor" outsourced development activities. Open source packages are outsourced development, you're running code written by strangers.

Your controls should include:

  • Vetting packages before first use (checking maintainer history, download counts, recent activity)
  • Monitoring packages for ownership changes or unusual updates
  • Having a rollback plan when a trusted package becomes compromised

OWASP ASVS v4.0.3 V14.2: Dependency

Requires that "all components, libraries, and frameworks are from trusted sources" and that you maintain "an inventory of all third-party components." It also calls for verifying that dependencies "do not contain known vulnerabilities."

Practically, this means:

  • Lock files committed to version control (package-lock.json, requirements.txt)
  • Automated tools that alert on new vulnerabilities in your dependency tree
  • A defined process for updating or replacing vulnerable dependencies

Lessons and Action Items for Your Team

Claim Your Namespace

Register your organization's name and common internal package names in public registries, even if you never publish to them. For npm, claim @yourcompany. For PyPI, register yourcompany-* variants. This costs nothing and prevents dependency confusion attacks.

Implement Pre-Commit Dependency Scanning

Don't wait until CI/CD to catch malicious packages. Run npm audit or equivalent tools before developers commit dependency changes. Better yet, use pre-commit hooks that block commits adding packages with known issues.

Lock Down Install Scripts

Package install scripts (postinstall, preinstall) run arbitrary code on your developers' machines and build servers. Configure your package manager to block or prompt before running install scripts. In npm, use --ignore-scripts by default and explicitly allow trusted packages.

Monitor Package Ownership Changes

Set up alerts for when packages you depend on change maintainers. Tools like Socket.dev and Snyk track maintainer changes. When a package transfers ownership, review the new maintainer's history before accepting updates.

Separate Build Environments from Production Secrets

If a malicious package makes it into your build, it shouldn't have access to production credentials. Use separate service accounts for CI/CD with minimal permissions. Rotate credentials that might have been exposed in development environments.

Maintain a Private Registry Mirror

For critical dependencies, mirror approved versions to a private registry. This gives you control over what versions your team can install and creates an air gap between public registries and your production systems. When the public registry gets flooded with malicious packages, your builds keep working with known-good versions.

The 1.8 million packages logged in Q2 2026 represent a permanent shift. Attackers have industrialized malware distribution through open source ecosystems. Your response needs to be equally systematic, not just scanning for known threats, but building controls that assume every new dependency is potentially hostile until proven otherwise.

CVE database

Topics:Incident

You Might Also Like