Sonatype’s Q1 2026 index shows open source malware campaigns are increasingly succeeding by abusing trusted packages and release workflows, with npm and CI/CD systems emerging as the most exposed attack surfaces.
Open-source trust abuse, rather than technical novelty, emerged as the defining malware trend in Q1 2026, as Sonatype identified 21,764 malicious open-source packages during the quarter—taking the cumulative total logged since 2017 to 1,346,867. The pace translates to one malicious package every six minutes, underscoring the scale of the software supply chain threat.
The sharper concern lies in how these attacks succeeded. Instead of relying on obvious deception, threat actors increasingly weaponised trusted package names, compromised release workflows, familiar dependency names, and legitimate software tools, marking a decisive shift from fake-package deception to trusted open-source dependency compromise.
“The biggest open source attacks in Q1 didn’t win because they were novel. They won because they abused trust already built into the software lifecycle — trusted package names, trusted tools, and trusted release workflows. That’s what makes modern supply chain attacks more dangerous: the problem is no longer just spotting something suspicious, it’s knowing when something familiar has been turned against you.” Brian Fox, Co-founder and CTO, Sonatype
The npm ecosystem accounted for 75% of all malicious packages, averaging 46 malicious packages per day, while PyPI represented 18%, highlighting attackers’ focus on ecosystems with the widest downstream developer reach.
Developer machines and CI/CD pipelines remained the primary targets, with campaigns aimed at credential theft, host reconnaissance, staged payload delivery, and reusable cloud or build secrets theft. Sonatype said 22% exfiltrated host data, 19% stole secrets, and 16% prepared secondary payloads.
Incidents involving axios, LiteLLM, SANDWORM_MODE, and the Trivy/LiteLLM campaign reinforced the trust-compromise trend, while Sonatype’s Repository Firewall reportedly blocked 136,107 attacks in Q1 alone.
