RSS

The Software Supply Chain Malware Landscape: January – May 2026

jruohonen1 pts0 comments

The Software Supply Chain Malware Landscape: January - May 2026 | OpenSourceMalware

OpenSourceMalware adds a median of 1000 threat reports per week, and today we have more than 166,000 threats in the database. That’s enough to start drawing some meaningful conclusions about malware trends.<br>This article looks at the malware landscape from January 1-May 18, 2026. Three trends stuck out:<br>npm and PyPI malware are growing at similar rates

ATOs grew in frequency, but that’s not the whole story

Malicious ClawHub skills targeted diverse victims

Trend 1: npm and PyPI malware are growing at similar rates<br>We track malicious packages across 16 ecosystems. As of the publishing of this research, here’s now those threat records break down:<br>npm: 146,237

PyPI: 10,940

Other packages types combined: 4239

While npm continues to be the undisputed leader in malicious packages, the velocity of new threat records is very similar across npm and PyPI. Much of PyPI’s growth is driven by threat actors targeting both ecosystems simultaneously rather than choosing between them. For example:<br>Contagious Interview: Consistently publishing to both npm and PyPI throughout the period, with PyPI packages appearing in the same weeks as the campaign's largest npm drops.

Telegram infostealer cluster: An unattributed campaign deploying infostealers that exfiltrate stolen data via Telegram bots, with a notable cluster of Chinese-language packages suggesting a specific targeting focus, showed near-identical spikes in both npm and PyPI the week of April 13 and continued into May at similar cadence.

Figure 1. New malicious package velocity in npm and PyPI<br>npm and PyPI both grew steadily throughout the period, with PyPI's rate of growth outpacing npm relative to its base. The sharpest single-week npm increase was the week of April 13, driven by the Stardrop campaign.

Trend 2: ATOs grew in frequency, but that’s not the whole story<br>Account takeovers (ATOs) are getting a lot of attention, which is fair since TeamPCP pulled off lots of high-profile ATOs beginning with the March compromise of Trivy and growing with their successful Mini Shai-Hulud campaign. But the buzz around ATOs is also dangerous because it distracts from the fact that most newly-discovered malicious packages are more surgical attacks. This is important because some techniques that thwart ATOs (cooldown periods, dependency pinning) can be useless against dependency confusion/typosquatting attacks.<br>What’s an ATO? These are legitimate packages that were compromised by a threat actor gaining control of a maintainer account or pipeline. When a threat actor compromises a legitimate package, they inherit the publisher's reputation, download history, and position in every dependency tree that references them. But because more eyes are on these packages, malicious versions are often pulled the fastest from registries. That means it’s a race against time to compromise as many people as possible, which is why ATOs usually target packages with high downloads. The `axios` package (attacker unknown) was one of the biggest ATOs this year because it averages 108.4 million weekly downloads.<br>What’s a dependency confusion/typosquatting attack? These packages are created and maintained by threat actors with the intent of causing harm. Often they’re “born bad” (like Stardrop, where all versions are malicious). Increasingly, they start out as benign in an effort to evade detection, but eventually threat actors will push an update that includes malware. Regardless, this attack vector targets specific technologies (often crypto) in an effort to compromise the users of that technology, and they often have lower download numbers. For example, `events-channel` is a sophisticated npm package that mimics the popular Node.js 'events' module.<br>Dependency confusion: A malicious package exploits how package managers resolve dependencies between public and private registries to get installed instead of an internal package.

Typosquat: A malicious package uses a name similar to a legitimate one to trick developers or automated systems into installing it instead.

OpenSourceMalware tracks package downloads, which can be used as an imperfect-but-decent proxy for the attack vector (the higher the download count, the more likely it’s an ATO). Figure 2a shows the weekly download averages for npm and PyPI packages reported as malicious in each week. Figure 2b dives into packages we’ve tagged as ATOs.<br>Figure 2a. Popularity of malicious npm and PyPI packages<br>Each column shows the share of that week's malicious packages by popularity tier. The surge in high-download packages from late April onward is almost entirely Mini Shai-Hulud, with 64% of packages with over 10k weekly downloads attributed to TeamPCP, rising to 84% at the 1M+ tier. The shading makes a trend stick out: high-download malicious packages are becoming more common.

Figure 2b. Account takeovers, as a share of weekly malicious packages The percentage of...

packages malicious pypi atos package threat

Related Articles

Apple WWDC 2026 Livestream

nextstep32 ptsapple stream video event live feed

Claude Fable 5

Philpax30 ptsfable claude mythos model models capabilities

US Government directive to suspend access to Fable 5 and Mythos 5

Dylan131224 ptsfable government anthropic jailbreak access mythos

Is AI ruining our skills? Early results are in – and they're not good

Michelangelo1124 ptstools skills during physicians colonoscopies tool

German ruling declares Google liable for false answers in AI Overviews

ahlCVA15 ptsgoogle court search overviews content users
terms · privacy · disclaimer · contact · policy
© 2026 NewsHub. All rights reserved.
This site is for informational purposes only. Content is aggregated from publicly available sources. We may earn commissions through affiliate links. Not affiliated with Y Combinator or Hacker News.