Key Takeaways
- Malicious packages in public software repositories grew from 55,000 in 2022 to 454,600 in 2025 — an 8x increase in three years
- Notable acceleration occurred in 2023 (GPT-4 release) and 2025 (agentic coding tools becoming mainstream)
- Axios HTTP library was compromised on npm with malicious versions deploying a Remote Access Trojan (RAT)
- AI coding assistants are making it trivially easy to generate convincing malicious packages at scale
- Dependency auditing has become a mandatory security practice, not an optional enhancement
The Facts
The Sonatype 2025 State of the Software Supply Chain report documents one of the most alarming security trends in modern software development: malicious packages in public software repositories grew from 55,000 in 2022 to 454,600 in 2025 — an eightfold increase in three years. The acceleration correlates precisely with the mainstream availability of AI coding tools: significant jumps occurred in 2023 (when GPT-4 was released publicly) and in 2025 (when agentic coding platforms became widely accessible to low-sophistication actors).
A high-profile incident illustrating the real-world impact occurred when the Axios HTTP library — one of the most downloaded npm packages globally, with hundreds of millions of downloads — was compromised through malicious versions deployed to the npm registry. The malicious versions deployed a Remote Access Trojan (RAT) to affected systems, demonstrating that even widely-used, well-maintained packages are not immune to supply chain compromise.
For context on the scale: npm, PyPI, and other public package registries host hundreds of millions of package versions collectively. Developers building modern software depend on hundreds of these packages as dependencies — with each dependency introducing potential supply chain risk. A malicious package installed as an indirect dependency of a dependency can be extremely difficult to detect.
Technical Deep-Dive
Supply chain attacks in software repositories exploit the trust developers place in publicly available packages. The attack vectors include: typosquatting (publishing packages with names similar to legitimate packages to catch developers who mistype), dependency confusion (registering packages with the same names as internal company packages in public registries), account compromise (accessing a legitimate package maintainer's account to publish malicious updates), and direct injection (inserting malicious code into package contributions through the open-source contribution process).
AI has dramatically reduced the sophistication required to execute typosquatting and fake package attacks. An AI coding tool can generate a convincing README, package documentation, and plausible implementation code for a package designed to look like a legitimate utility while containing embedded malicious functionality. The barrier to creating a convincing fake package has fallen from "skilled developer with obfuscation expertise" to "anyone who can describe what they want."
Dependency auditing tools — npm audit, pip-audit, and specialised supply chain security platforms — scan installed packages against known vulnerability and malicious package databases. Automated integration of these tools in CI/CD pipelines (running on every build rather than periodically) is the baseline defence against known malicious packages.
The ASEAN Perspective
ASEAN's rapidly growing developer community is disproportionately exposed to supply chain risk for two structural reasons. First, the adoption of open-source packages and modern development frameworks has accelerated faster than security practices — many development teams in the region are using hundreds of open-source dependencies without systematic security scanning. Second, the security tooling and practices that are standard in US and European enterprises are often absent in ASEAN SMEs and startups.
Singapore's Cyber Security Agency has been publishing guidance on software supply chain security, and larger Singapore technology companies (including government-linked entities) have implemented supply chain security scanning as standard practice. The gap between Singapore's leading enterprises and ASEAN's broader startup and SME ecosystem is substantial.
For ASEAN developers, the practical response to the supply chain threat is straightforward: add pip-audit or npm audit to CI pipelines, review all dependency additions carefully, and consider using private package mirrors for production builds that have been pre-scanned.
RECATOOLS Verdict
The 8x growth in malicious packages is a direct consequence of AI capability democratisation — and it will continue to worsen as AI tools become more capable and more accessible. The supply chain attack surface is not going to shrink.
The practical response is automating the defence at the scale of the attack. Manual code review of hundreds of dependencies is not feasible; automated scanning run on every CI build is. The tools exist, the integration work is hours, and the protection is substantial.
Frequently Asked Questions
An attack that targets the third-party libraries and packages that software depends on, rather than attacking the target software directly.
Malicious versions of the widely-used Axios HTTP library were published to the npm registry, deploying a Remote Access Trojan (RAT) to systems that installed the compromised versions.
454,600 malicious packages were identified in public software repositories in 2025, up from 55,000 in 2022.
Automated dependency auditing (npm audit, pip-audit) in CI/CD pipelines, careful review of new dependency additions, and private package mirrors for production builds.
AI tools make it trivially easy to generate convincing fake packages with legitimate-looking documentation and code that contain embedded malicious functionality.
View author profile → · Editorial policy
