The open-source software ecosystem, once considered a bastion of collaborative development, has become an increasingly attractive target for cybercriminals seeking to infiltrate supply chains and compromise downstream systems.
Recent analysis conducted during the second quarter of 2025 reveals that threat actors are persistently exploiting vulnerabilities in popular package repositories to distribute malware, exfiltrate sensitive data, and establish persistent footholds in victim environments.
This alarming trend represents a fundamental shift in attack methodology, where malicious actors leverage the inherent trust developers place in third-party packages to bypass traditional security controls.
The scope of this threat landscape is vast and growing. During Q2 2025, automated threat detection platforms scanned over 1.4 million NPM (Node Package Manager) and 400,000 PyPI (Python Package Index) packages, uncovering substantial numbers of malicious packages embedded within these repositories.
The attack vectors employed by these threat actors demonstrate a sophisticated understanding of software development workflows, exploiting the automated installation processes that occur when developers integrate new dependencies into their projects.
.webp)
Fortinet analysts identified several malicious PyPI packages during this period, including simple-mali-pkg-0.1.0, confighum-0.3.5, sinontop-utils-0.3.5, solana-sdkpy-1.2.5, and solana-sdkpy-1.2.6, alongside the NPM package postcss-theme-vars-7.0.7.
.webp)
These packages serve as representative examples of the evolving tactics employed by threat actors, combining traditional malware techniques with supply chain exploitation methods to maximize their impact and evade detection.
.webp)
Code Obfuscation and Execution Mechanisms
The technical sophistication of these malicious packages is particularly noteworthy in their use of multi-layered obfuscation techniques designed to conceal malicious intent from both automated scanning tools and human analysts.
The simple-mali-pkg-0.1.0 package demonstrates this approach through its setup.py file, which executes a suspicious mali.py file during installation using the following mechanism:-
mali_path = os.path.join(os.path.dirname(os.path.abspath(__file__)), "mali.py")
subprocess.call([sys.executable, mali_path], shell=True)
This mali.py file contains heavily encrypted code utilizing dozens of layers of encryption, beginning with obfuscated lambda functions that decompress base64-encoded data.
Similarly, the postcss-theme-vars-7.0.7 NPM package employs JavaScript obfuscation techniques, hiding malicious functionality within a file deceptively named test-samples.dat to avoid detection.
Upon successful deobfuscation, these packages reveal comprehensive data exfiltration capabilities targeting browser credentials, cryptocurrency wallets, and sensitive documents, while implementing keylogging and screenshot capture functionality to transmit captured data to attacker-controlled servers.
Integrate ANY.RUN TI Lookup with your SIEM or SOAR To Analyses Advanced Threats -> Try 50 Free Trial Searches