Kaspersky’s Global Research and Analysis Team experts reported that by the end of 2024 a total of 14,000 malicious packages were found in open-source projects, a 48% increase compared to the end of 2023. 42 million versions of open-source packages have been examined by Kaspersky throughout 2024 in search for vulnerabilities.
Open-source is software with source code that anyone can inspect, modify, and enhance. Popular open-source packages include GoMod, Maven, NuGet, npm, PyPI, and others. These are tools that power countless applications and help developers easily find, install, and manage pre-built code libraries, making it simpler to build software by reusing code others have written. Attackers take advantage of the popularity of these and other packages.
In March 2025, the Lazarus Group was reported to have deployed several malicious npm packages, which were downloaded multiple times before removal. These packages contained malware to steal credentials, cryptocurrency wallet data, and deploy backdoors, targeting developers’ systems across Windows, macOS, and Linux. The attack leveraged GitHub repositories for added legitimacy, highlighting the group’s sophisticated supply chain tactics. Kaspersky’s GReAT also found other npm packages related to this attack. Malicious npm packages could have been integrated into web development, cryptocurrency platforms, and enterprise software, risking widespread data theft and financial losses.
In 2024, a sophisticated backdoor was discovered in XZ Utils versions 5.6.0 and 5.6.1, a widely used compression library in Linux distributions. Inserted by a trusted contributor, the malicious code targeted SSH servers, enabling remote command execution and threatening countless systems globally. Detected before widespread exploitation due to performance anomalies, the incident highlighted the dangers of supply chain attacks. XZ Utils is integral to operating systems, cloud servers, and IoT devices, making its compromise a threat to critical infrastructure and enterprise networks.
In 2024, Kaspersky’s GReAT discovered that attackers uploaded malicious Python packages like chatgpt-python and chatgpt-wrapper to PyPI, mimicking legitimate tools for interacting with ChatGPT APIs. These packages, designed to steal credentials and deploy backdoors, capitalized on the popularity of AI development to trick developers into downloading them. These packages could have been used in AI development, chatbot integrations, and data analytics platforms, endangering sensitive AI workflows and user data.
“Open-source software is the backbone of many modern solutions, but its openness is being weaponized. The 50% rise in malicious packages by the end of 2024 shows attackers are actively embedding sophisticated backdoors and data stealers in popular packages, which millions rely on. Without rigorous vetting and real-time monitoring, a single compromised package can trigger a global breach. Organizations need to secure the supply chain before the next XZ Utils-level attack succeeds,” comments Dmitry Galov, Head of Research Center for Russia and CIS at Kaspersky’s Global Research and Analysis Team.
To stay safe, Kaspersky recommends:
• Use a solution for monitoring the used open-source components in order to detect the threats that might be hidden inside.
• If you suspect that a threat actor may have gained access to your company’s infrastructure, we recommend using the Kaspersky Compromise Assessment service to uncover any past or ongoing attacks.
• Verify package maintainers: check the credibility of the maintainer or organization behind the package. Look for consistent version history, documentation, and an active issue tracker.
• Stay informed on emerging threats: subscribe to security bulletins and advisories related to the open-source ecosystem. The earlier you know about a threat, the faster you can respond.