An April 2 report detailed a sharp increase in open-source malware that targets developers, “smash and grab” style, and exfiltrates data from their code environments.
According to Brian Fox, co-founder and CTO at Sonatype, developers are getting tricked into downloading malicious software packages. The package then executes code that gathers details like API passwords, session cookies, and test databases, and ships them to a destination.
“It’s over in a flash,” Fox said. “Many of the times, people don’t recognize that this was even an attack.”
Sonatype, a software supply-chain management company, claims in its recent study:
- Over one half (56%) of malware discovered in Q1 2025 involved data exfiltration, “designed to collect sensitive information from infected systems.”
- In Q4 2024, data exfilitrators made up just 26% of open-source malware—what the company defines as malicious code “intentionally crafted to target developers in order to infiltrate and exploit software supply chains.”
The data-exfiltration attacks are frequently a “spear phishing attack on developers,” according to Fox, appearing via a fake listing on public repositories of software components. Maybe a malicious component’s file name uses an underscore instead of a legitimate component’s hyphen.
“The attackers fake the number of downloads. They fake the stars so it can look as legit as the original one, because there’s not enough awareness. [Developers] are not yet trained to be skeptical,” Fox told us.
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
Threat actors can do plenty with data smashed and grabbed from a developer environment. An API key acts as an entryway to an application and its valuable data.
According to Fox, threat actors are targeting small but valuable pieces of data—like a retailer’s repo of hashed passwords or a browser’s cache of cookies—to help adversaries access bank accounts.
“They’re breaking into the janitor’s closet, not to put in a bomb, but to grab his keychain, and then they’re going to come back at night with the keychain,” Fox said.
The report cited early incidents from 2025:
- Hijacked packages on JavaScript code-sharing tool npm contained malware that collected “sensitive information from the target system environment such as environment variables”—components that Sonatype noted often store valuable API keys, access tokens, and SSH credentials.
- A counterfeit npm extension installed info-gathering spyware and enabled “full remote control.”
- Malicious packages targeted crypto developers with Windows trojans capable of keylogging and data exfiltration. (These packages were downloaded over 1,900 times collectively, the report said.)
A separate Sonatype report, released in November 2024, claimed an 156% year over year growth in open-source malware, citing 512,847 malicious packages—not just data exfiltrators but a full array of malware—since October 2023.