Sonatype Releases Q1 2026 Open Source Malware Index: Trust Abuse Most Successful Attack Vector


Sonatype Releases Q1 2026 Open Source Malware Index: Trust Abuse Most Successful Attack Vector

 

 

 

April 14, 2026 - Sonatype, the leader in AI-driven DevSecOps, today unveiled the Q1 2026 Open Source Malware Index, identifying 21,764 malicious open source packages in the first quarter of the year and bringing the total logged since 2017 to 1,346,867. The npm registry continues to be the target of most new malicious attacks, at 75%, with the quarter defined by credential theft, host reconnaissance, and staged payload delivery aimed at developer and CI/CD environments.

“The biggest open source attacks in Q1 didn’t win because they were novel. They won because they abused trust already built into the software lifecycle — trusted package names, trusted tools, and trusted release workflows,” said Brian Fox, Co-founder and CTO of Sonatype. “That’s what makes modern supply chain attacks more dangerous: the problem is no longer just spotting something suspicious, it’s knowing when something familiar has been turned against you.”

Trust Abuse, Not Novelty, Defined the Most Successful Q1 Attacks

In the first three months of 2026, Sonatype observed the equivalent of one malicious package every six minutes. But the bigger story was how those attacks succeeded. Rather than relying on obvious deception, attackers increasingly used plausible packages, compromised release paths, and trusted software to gain access. Incidents such as the axios compromise and the Trivy/LiteLLM campaign showed how small changes inside trusted packages and release workflows can create outsized downstream risk.

Developer and CI/CD Environments: Primary Targets for Access, Persistence, and Reuse

The report found that 22% (~4,900) of Q1 malware exfiltrated host information, 19% (~4,200) stole secrets, and 16% (~3,500) set the stage for secondary payloads — clear signals that attackers are targeting developer machines and software delivery infrastructure for reusable access. These campaigns were built to capture tokens, keys, cloud credentials, and other secrets that can be reused across repositories, build systems, and production environments. SANDWORM_MODE, in particular, highlighted how open source malware is becoming more adaptive and better suited to spreading through developer and CI environments.

npm Remained the Dominant Ecosystem for Malware Distribution and Downstream Reach

With npm seeing the equivalent of 46 malicious packages per day, the JavaScript ecosystem remained the leading distribution channel for open source malware in Q1. PyPI saw 18% of total malware in Q1, with other registries significantly lower, signaling that attackers are concentrating on the ecosystems that offer the greatest scale, speed, and downstream reach. For defenders, that means the most widely used registries remain some of the most attractive channels for malware delivery.

Backed by Sonatype’s industry-leading security research team, Sonatype Repository Firewall helped customers prevent 136,107 open source malware attacks in Q1. To explore the full findings from the Q1 2026 Open Source Malware Index and access additional software supply chain guidance, visit Sonatype Guide.

 

Sonatype solutions are available in Romania through Simple IT, Sonatype Partner in Romania.

 

 

About Simple IT

 

SIMPLE IT is a distributor for software solutions and hardware appliances, adding value with consulting, training, implementation, configuration and support services, backed by certified specialists, in order to offer the best IT experience to customers and partners. For more information, please visit www.simpleit.com.ro.