The landscape of malicious open-source packages continues to evolve, with Snyk identifying over 3,600 malicious packages in 2024 and more than 1,000 new cases so far in 2025. The primary targets are npm (3,000+) and PyPI (600+), with JavaScript being the most affected ecosystem. Malicious packages can pose a significant risk to developers, including those that require user interaction beyond downloading the package, which can steal sensitive information from the target's machine. To avoid falling victim to malicious packages, developers should verify package names before installation, scan their projects regularly, and inspect the source code of downloaded packages for suspicious indicators. While the number of malicious packages is increasing, open-source security organizations and the community are developing automation and ML tools to catch these packages on time, and cooperation among peers and experts is crucial in this "malicious packages battle".