Sonatype uncovered 16,279 malicious open-source packages in Q2 2025, representing a 188 percent increase from the previous year. Data exfiltration tactics remain prevalent, targeting developers and their credentials. Attackers exploit access to secrets in environment variables, config files, and CI/CD tools. The crypto-encrypt-ts package gained traction as a fraudulent CryptoJS library, targeting sensitive crypto wallets. Furthermore, 55 percent of detected packages were designed for data exfiltration, with attackers utilizing sophisticated methods like time-delayed payloads to evade detection, posing significant risks to CI/CD pipelines.
The second quarter of 2025 revealed a troubling acceleration in supply chain attacks against the software development ecosystem. Malicious actors are systematically targeting developer environments, with 55 percent of all detected packages designed specifically for data exfiltration.
Developers possess what attackers truly value: access to secrets and keys stored in predictable locations. Environment variables, config files, and CI/CD tools contain sensitive information that can provide unauthorized access to cloud accounts, APIs, databases, and internal systems.
The crypto-encrypt-ts package exemplifies this targeting strategy. Masquerading as a legitimate CryptoJS library revival, it gained nearly 2,000 downloads before being identified as malware. Once installed, it selectively targeted crypto wallets with balances exceeding 1,000 units while harvesting MongoDB connection strings and environment variables.
Over 4,400 packages were engineered to steal secrets, personally identifiable information, credentials, and API tokens from unsuspecting developers. The attackers are leveraging time-delayed payloads and encrypted transmissions to avoid detection, making these threats particularly dangerous for CI/CD pipelines.
Collection
[
|
...
]