Malware in open source software is no longer a fringe threat–it’s accelerating at an unprecedented rate. In 2025 alone, more than 90% of open source vulnerability (OSV) malware advisories were reported, a 14x increase over the past two years, while 92% of NPM account takeovers–where maintainers of trusted open-source software (OSS) projects are compromised–also occurred last year.
Despite widespread recognition of the threat, with 81% of organizations naming OSS malware a top security priority, only 21% enforce protections like cooldown periods, leaving attackers a widening window to exploit the software supply chain, according to new research from Endor Labs.
Malware in Open Source Ecosystems is based on a survey of more than 600 global IT professionals combined with OSV and NPM data. It finds that organizations are treating OSS malware as isolated incidents rather than a coordinated security challenge. While most understand the urgency–88% say the first few days after a package release are the riskiest–few take effective action, leaving their environments vulnerable to attackers who are increasingly hijacking trusted packages.
Key malware study findings
A new attack surface hidden in plain sight: Malicious OSS surged in 2025, with advisories issued faster than organizations can respond. Even short-lived malicious versions can be automatically pulled into thousands of environments within hours.
The awareness-action gap: Organizations understand the risk, yet fewer than half plan to increase budgets for 2026. Limited enforcement of cooldown periods and protective controls means a disconnect persists between knowledge and action.
Structural vulnerabilities: Many compromised packages remain downloadable even after being reported. Only 14% of previously compromised NPM packages use modern security controls like Trusted Publishing. Fragmented responsibility across teams further increases exposure.
“Most application security programs were built around vulnerability management, not to detect malware in the software supply chain. Attackers understand this. AI coding agents, MCP servers, and model dependencies are creating new entry points, and we’re already seeing an uptick in malware in open source ecosystems targeting AI coding agents,” said Varun Badhwar, CEO of Endor Labs. “The gap between how fast attackers move and how fast organizations respond is widening, and without a coordinated, cross-functional approach, even strong controls fail in practice.”