Threat Research Year In Review – 2025

In November of last year, Aaron Bray made some supply chain security predictions for 2025. Now, as we approach the close of the year, we are going to look at how those predictions turned out. But first let’s start with the high-level statistics and review some of the campaigns we have been tracking and reporting on this year. As this year is not yet over, we have excluded data from December for both 2024 and 2025.

2025 Key Findings

As usual, the volume of packages submitted to NPM in 2025 far outweighs what we see in other ecosystems. The primary reason for this is that when looking at web applications, regardless of the backed technology (e.g. Java, Rust, C#, etc.), it is most common for the front-end User Interface to be built using JavaScript or TypeScript. These front-end technologies largely depend on NPM, as it is also straightforward to author and publish packages to this ecosystem, which explains why we see a consistently high level of activity.

Here are some stats on the malicious behaviors we identified this year:

• 4,196 packages were specifically designed to target groups or organizations, often linked to cyber espionage or financial theft.
• 58,473 packages contained URLs known to be malicious, underscoring the growing risk of dependency injection attacks.
• 929,789 packages included pre-compiled binaries, creating potential attack vectors for binary tampering.
• 160,959 packages executed suspicious code during installation.
• 38,092 packages made server requests to IP addresses, attempting to communicate with command-and-control servers.
• 1,062,697 packages attempted to obfuscate their underlying code, making detecting malicious activity much more difficult.
• 4,863 packages were identified as typosquats, indicating a concerted effort by attackers to trick developers into installing malicious versions of popular packages.
• +61,801 spam packages were published across ecosystems, severely degrading the integrity of open-source repositories and threatening the trust developers place in these platforms.
• 206,632 packages were flagged as containing critical malware, requiring immediate attention. This was an increase of 86.8% compared to the same time last year.

Trends

We observed several trends across these categories of malicious behavior when compared to last year. Most notably, it is now common for packages to make use of obfuscation, a technique to make the code harder to analyze or reverse engineer in order to protect Intellectual Property (IP). However attackers are leveraging this to disguise malicious payloads and make detection significantly more difficult.

We saw a rise in code that executes during package installation. This is particularly problematic for malware analysis when the code is fetched from outside the package itself, e.g. via a file downloaded from a URL during installation using pre/post-install hooks. This dynamic nature makes it hard to be certain whether a package is malicious or not as the contents of the file behind the URL could change at any time, swapping out a benign or legitimate file for a malicious payload.

There was a reduction in dependency confusion attacks this year, suggesting tactics to target specific groups or organizations for financial gain have changed, and other more effective means are being used instead.

Malicious Behavior	2024	2025	Change
Dependency confusion	19,560	4,196	⬇️ 78.5%
Malicious URLs	45,776	58,473	⬆️ 27.7%
Pre-compiled binaries	1,056,851	929,789	⬇️ 12.0%
Suspicious install code	127,848	160,959	⬆️ 25.9%
Malicious IP addresses	33,006	38,092	⬆️ 15.4%
Obfuscation	78,740	1,062,697	⬆️ 1,249.6%
Typosquats	4,929	4,863	⬇️ 1.3%

Noteworthy Campaigns

During 2025 we observed and reported on a number of notable campaigns. We will highlight some of them here, but this is not an exhaustive list.

Contagious Interview Continues To Recruit

Every now and then we see another blog post, e.g. this recent one from Socket regarding the ongoing Contagious Interview campaign. This campaign is understood to target job-seeking developers in order to steal cryptocurrency and other sensitive data. The threat actor, known as Famous Chollima, is believed to operate on behalf of North Korea. The campaign has been widely reported on, including in multiple posts from our own team (here and here).

The Socket post makes for good reading as they go into detail about the attacker’s infrastructure. We also noted a recent focus targeting developers familiar with Vite and the Tailwind CSS UI technology, as the campaign periodically shifts tactics. Typically we see this malware in logging libraries. Below, is an illustrative selection of some of the 389+ package names we’ve seen from this campaign so far, so you can get a feel for who is being targeted:

We have been tracking several ongoing campaigns and the chart below should give some indication of the sorts of targeted malicious activity we contend with on a daily basis, and how persistent this campaign is.

Since July we have been tracking a new campaign in which the attacker uses a hex-encoded string obfuscation technique in a JavaScript file named metrics.js to exfiltrate usernames, host names, operating system information, CPU architectures, and environment variables. It is common to see packages that collect telemetry and we do not automatically consider these malicious. However, exfiltration of environment variables, which often contain sensitive data such as API keys is never acceptable. A selection of the 136+ packages has been included below to give an indication about who this group was targeting:

“Security Testing” Malware

A steady source of background noise, and certainly not new for 2025, is the constant “security testing” malware. These are often packages planted by bug bounty hunters to demonstrate a proof of concept, or confirm subdomain-takeover attacks were successful, but often these packages exfiltrate sensitive data such as all the environment variables to an attacker collaboration server, not unlike the “metrics.js” campaign noted above.

Shai-Hulud Worm

In September we contained and reported on the Shai-Hulud Worm incident. This was the first time the industry experienced worm-like behavior affecting the supply chain. When this occurred, we anticipated copycats and further incidents. This worm made use of a bundled, legitimate, popular secret scanning tool Trufflehog, to exfiltrate secrets from CI/CD systems and publish internal repositories. Using NPM authentication tokens it then replicated and spread, infecting other packages owned by the compromised account.

Shai Hulud V2 AKA Sha1-Hulud

Late November we observed that more than 848 packages had been compromised with a 10MB malicious and obfuscated JavaScript file. Our automated system alerted us to suspicious behavior in files named setup_bun.js across several packages. Our threat research team investigated this further, discovered one of the victims had a misconfigured GitHub action and alerted them. Subsequently we rolled out additional detections to keep our customers protected in real-time as the worm spread by exploiting these misconfigured GitHub actions.

The chart below shows the rate and number of NPM packages containing the worm.

The chart below shows the rate and number of compromised GitHub accounts.

The chart below shows the rate and number of compromised GitHub accounts.

This worm was an enhancement on the earlier version of the worm. GitLab did a good write up on it here. The worm continued to feature Trufflehog for secrets extraction, but this time it included a dead-mans-switch to attempt to destroy the compromised system should access to NPM and GitHub be restricted.

A Year’s Worth of Spam In A Day

In what looked like an early Christmas, in November more than 60,000+ spam packages were published to NPM. This campaign was first reported by Paul McCarty and given the name “IndonesianFoods” because the package names included some dishes popular in Indonesia. The package names had a format of three words separated with dashes and underscores along with often some numbers here and there. We also observed a few changes in the naming, with the word “tea” or “dev” in the package name. Some examples of these spam packages are listed below:

The jumps in the chart below were due to spam campaigns, most prominently the November incident.

So How Did Those Predictions Go?

With 2025 almost under wraps, lets now answer Aaron’s 2025 predictions below.

Software supply chain attacks originating in the open-source ecosystem will continue to increase

It seems every day we hear of a new supply chain attack, and new for 2025 an account compromise leading to worm-like propagation of malware. This is very much the case, and we can expect to continue to see this trend well into 2026.

The proliferation of generative AI-based code creation tools will allow bad actors to exploit new attack vectors

We have seen some cases, in 2025, where prompts were abused to carry out malicious behavior such as with the compromise of the nx NPM account, which resulted in the weaponization of locally-installed LLMs on developer machines. This was an attempt to exfiltrate sensitive data, including cryptocurrency wallets and key stores.

We’ll see a rise in shadow application development now that LLM-based code-writing tools allow anyone to build applications

We noticed code comments in 2025 to be emoji-rich, which is a telltale indicator of the use of LLM tools. Further not removing these helpful comments suggests an element of vibe-coding was in play for a lot of the packages we observed at least within the NPM ecosystem.

Attackers use automation and generative AI: Automated attacks in the open-source ecosystem will become more persistent and harder for developers to detect

The presence of the worms this year is clear proof of the power of automated compromise. As attackers evolve and fine tune their attacks, we can expect to see more of this in 2026, and with greater sophistication. They will very likely be more complex attack chains, which will be harder to detect.

Nation-states will continue to attack developers via the open-source ecosystem

As noted under the heading above “Contagious Interview Continues To Recruit” we found this to be true as the campaign is ongoing.

Government adoption of generative AI-based code creation tools will have national security implications

The author of this post was not privy to any governmental insight into this, however AI usage seems to be widely adopted globally, leading us to assume this prediction holds true.

Organizations will put open-source software under more scrutiny before it is used in their applications

The OWASP TOP 10 2025 RC1 was published in November with “A03:2025-Supply Chain Failures”, which was top-ranked in the Top 10 community survey carried out by OWASP, with half of the respondents ranking this threat as number #1.

Our Predictions For 2026

All of Aaron’s 2025 predictions still hold true for 2026 with the following addition.

More Worms And In More Ecosystems

It’s fairly safe to say worm-like attacks are here to stay and we are likely going to see a lot more of this next year, as well as other ecosystems likely to be targeted. Socket updated their blog post to say “We now also observe a spillover into the Java/Maven ecosystem: the Maven Central package org.mvnpm:posthog-node:4.18.1 embeds the same Bun-based malicious payload and setup_bun.js loader used in the npm campaign.”. This appears to be a copy of the NPM artifact, perhaps as part of build automation for Maven, rather than a Maven-specific attack. It is only a matter of time before we see attempts to replicate this in other ecosystems.

We also asked Veracode’s founder and chief security evangelist, Chris Wysopal, for his 2026 predictions, and the following is what he had to say.

Automated, AI-Driven Supply Chain Attacks Become the Norm

By 2026, adversaries will routinely use AI agents to map dependency graphs, identify weak upstream components, and generate functional exploits at scale. This turns what used to be opportunistic targeting into systematic, high-volume reconnaissance and compromise across the entire software ecosystem. Expect a sharp rise in indirect compromise paths. Organizations will need continuous monitoring of dependency health, not annual SBOM collection to stay ahead of automated adversaries.

Compromise of Build Systems Overtakes Source Code as the Primary Attack Vector

Attackers will shift from tampering with source code to targeting CI/CD infrastructure such as ephemeral runners, build scripts and base images. This results in signed, “trusted” artifacts being produced from a compromised build pipeline, making detection significantly harder. CISOs must treat CI/CD as part of the critical infrastructure footprint. Build integrity controls; provenance, signing, isolated runners, and policy enforcement as these will become table stakes.

Static SBOMs Lose Relevance; Real-Time Build Provenance Becomes Required

Traditional Software Bill of Materials (SBOM) will no longer satisfy regulators, insurers, or enterprise buyers. Static lists cannot keep up with daily dependency changes or AI-driven supply-chain threats. By 2026, the market will move toward real-time build attestation and continuous dependency visibility tied directly to CI pipelines.

CISOs should plan now for technologies that support live SBOM generation, automated provenance, and continuous dependency lifecycle management. These will become compliance expectations and procurement requirements.

Staying Safe In 2026

Supply chain risks are increasing in scale and complexity. Attackers now target not only servers, but also browsers and end users, through high-trust dependencies. Standard reactive security is no longer sufficient.

Veracode empowers you to adopt a proactive, defense-ready stance, protecting your developers, your users, and your business from the next wave of sophisticated supply chain attacks.

Reach out to learn more.