TL;DR At the end of Q2 2026, Sonatype Research reached 1.8 million malicious packages logged. In Q2, npm accounted for 96.6% of malicious package counts, with repository abuse and trojan-class activity showing how attackers continue to exploit high-trust, high-automation ecosystems. The quarter's defining theme was trust under pressure. Large-scale repository abuse campaigns, worm-like malware, dependency confusion, and maintainer compromises turned trusted software distribution channels into attack paths. Q2 showed attackers evolving beyond obvious malicious packages to target trusted developer workflows through campaigns like Shai-Hulud Miasma, CanisterSprawl, Atomic Arch, malicious PyTorch Lightning releases, dependency confusion, and maintainer/package hijacking. In Q2 2026, Sonatype Research reached more than 1.8 million malicious packages logged across ecosystems over the past decade. This quarter's malicious activity was driven overwhelmingly by npm, which accounted for 96.6% of packages. This quarter was not shaped primarily by isolated malicious uploads, but rather a more industrialized pattern of abuse, for example: Large-scale package publication Repository misuse Trojan-class malware operating at massive volumes npm's dominance should not flatten the story. Sonatype also observed lower-volume but higher-signal malicious behavior across PyPI, NuGet, Hugging Face models, RubyGems, Go, Cargo, and other ecosystems. So, npm produced the flood, but the broader ecosystem showed how attackers continue to probe trusted developer workflows. Q2 pushe d a Q1 tr end even further: open source malware is no longer only a package-by-package detection problem. Defenders must understand how malicious packages behave, where they execute, and which trust relationships they abuse. npm Dominated, But Trust Was the Target npm dominated Q2 by count, but outside npm, the threat landscape became far more concentrated. Nearly 87% of all non-npm malicious package activity occurred in just two ecosystems: PyPI (48.5%) and NuGet (38.0%). Hugging Face models (6.8%) and RubyGems (3.0%) accounted for much of the remainder. PyPI and NuGet also carried the highest concentrations of higher-risk behaviors: Threat Type Quantity in PyPI Quantity in NuGet Potentially unwanted applications (PUAs) 3,286 3,268 Secrets exfiltration 2,155 1,962 Droppers 1,326 676 Host information exfiltration 341 8 While repository abuse and trojan activity drove overall volume, the concentration of exfiltration and payload-delivery behaviors in PyPI and NuGet reinforces that attackers continue to target multiple trusted ecosystems — not just npm. Trojan activity shows the payload problem. Brandjacking and hijacking show the trust problem. Q2 illustrated both as attackers used npm's reach, familiar package names, compromised maintainers, and dependency relationships to turn trusted paths into attack paths. The Quarter's Defining Pattern: Trusted Paths Became Attack Paths The Q2 dataset is reinforced by the quarter's malware research. Sonatype Rese arch published extensively on ca mpaigns that abused trusted packages, maintainers, dependency relationships, and install-time workflows. Instead of analyzing each campaign in isolation, let's organize them according to the broader patterns they demonstrate. Self-Propagating and Maintainer-Focused Malware Continued to Evolve Shai-Hulud re mained one of the clearest examples of attackers turning trusted packages into propagation infrastructure. In early June, Sonatype Research trac ked a new Shai-Hulud Miasma wave affe cting hundreds of npm packages. Moving beyond standard installation scripts, the campaign abused binding.gyp to execute during install, allowing it to harvest developer and CI/CD data, steal tokens, validate credentials, and publish more malicious artifacts. Attackers adapted to defender expectations. If security teams only look for suspicious lifecycle scripts in package.json , attackers will move execution elsewhere. We also tracked CanisterSp rawl, a self-propagating npm malware campaign that s tole sensitive data from developer machines and then used hijacked credentials to publish additional compromised packages. Credential theft is no longer always the end state. In modern open source malware, stolen credentials can become the next distribution mechanism. Dependency Relationships Became a Delivery Mechanism Several Q2 campaigns showed attackers abusing the way package managers resolve and install dependencies. I n a 176-package npm campaign lev eraging dependency confusion, Sonatype researchers found malicious packages with exceptionally high version numbers designed to win automated resolution races against internal dependencies. The malware host environments, downloaded platform-specific payloads, and harvested environment variables, credentials, CI/CD secrets, and authentication tokens. T he easy-day-js campaign follow ed a related pattern. Attackers compromised trusted Mastra packages and added a malicious dependency, causing installs of those packages to also install and execute easy-day-js. Atomic Arch ext ended this pattern past npm by targeting orphaned Arch User Repository packages. By modifying PKGBUILDs to pull in a malicious npm dependency, the campaign enabled credential harvesting, stealth, anti-debugging, and data exfiltration, ultimately impacting around 1,500 packages across multiple waves. These campaigns demonstrate that attackers do not always need to convince developers to install obviously malicious packages. Compromising a trusted dependency relationship is enough. Trusted Packages and Maintainers Remained High-Value Targets Q2 also showed continued attacker focus on trusted packages and maintainer accounts. For th e PyTorch Lightning incident , Sonatype reported how malicious versions of the popular lightning package were uploaded to PyPI after a publisher account compromise. The malicious versions were designed to steal developer credentials and republish malicious versions of repositories accessible through stolen tokens. We also reported hijacked Red Hat Cloud Services packages that delivered install-time malware designed to steal credentials, spread through trusted workflows, and expose developer environments. Another hijacked npm package attempted to deliver malware linked to PolinRider , expo sing developer systems, CI/CD pipelines, and credentials. These incidents show why maintainer and publisher security remains central to open source risk. Once a trusted package or account is compromised, the attacker inherits legitimacy. Brandjacking Remained a Persistent Trust-Abuse Technique Q2 also included activity associated wi th Lazarus Group brandjacking on npm . Sona type reported a campaign involving dozens of packages, some with up to 500 weekly downloads, that used naming and mimicry tactics to appear as though they belonged in legitimate developer environments. Brandjacking is smaller than trojan activity by raw count in the Q2 dataset, but it remains dangerous because it targets developer assumptions. Attackers mimic naming conventions, ecosystem patterns, organizational signals, and package relationships to get malicious software installed. The Defender's Challenge: Prioritize Without Being Blinded by Volume Data and incidents from Q2 2026 illustrate that although the volume of malicious packages is significant, quantity alone cannot function as a proper risk model. Focusing only on the largest category reduces the quarter to npm repository abuse. Similarly, focusing solely on severe payloads overlooks the automation, trust abuse, and dependency-chain behaviors that enable malicious packages to spread. Modern open source malware often executes during installation, build, or CI/CD automation rather than waiting for application runtime. Traditional scanning frequently detects artifacts too late — after execution has occurred, secrets are exposed, and follow-on activity is already underway. Consequently, security controls must operate earlier and continuously. Organizations should: Block known malicious compone nts before they enter internal repositories . Automate detection of malicious behav ior across direct and transitive dependencies . Enforce validation of package provenance, publisher behavior, and release integrity. Protect internal namespaces against dependency confusion. Rotate credentials when developer or CI/CD environments may have been exposed. Extend software supply chain governan ce to AI and ML artifacts , n ot just traditional package managers. When Scale Becomes the Threat Q2 2026 was marked not merely by a rise in malicious packages but a clear demonstration of how open source malware has become industrialized. Attackers continue to concentrate activity in npm while refining cross-ecosystem techniques. They abuse trusted packages, maintainers, dependencies, and install behaviors, using stolen credentials to compromise victims and propagate through the software supply chain. While data highlights npm, the ac tual threat landscape is b roader. Attackers exploit systemic trust, automation, and dependency resolution, meaning defenders cannot treat malicious packages as isolated artifacts. Open source remains a great accelerator of modern software development. But Q2 2026 shows that the same scale that makes open source powerful also makes it attractive to attackers. When trusted paths become attack paths, security needs to move earlier, faster, and with more context.
Comments
Sign in to join the conversation.
No comments yet. Be the first.