2025 Report: Destructive Malware in Open Source Packages

Over the past year, the Socket Threat Research Team has observed a rising trend in destructive malware embedded in open-source packages, targeting various developer ecosystems rather than financial assets. This kind of malware, unlike traditional ransomware, focuses on sabotaging developer environments by deleting source code, breaking builds, or wiping repositories entirely, often blending destructive logic into otherwise functional code paths. These packages, distributed through trusted registries like npm, PyPI, NuGet Gallery, and Go module indexes, frequently execute their payloads via lifecycle hooks during dependency installation, affecting both local developer machines and CI/CD environments at scale. The team identified four recurring destructive patterns: remote kill switches, time-delayed execution, targeted codebase wiping, and remote payload fetching. These patterns highlight the operational impact such malware has on developer workflows, with npm accounting for most cases, especially within frontend tooling and JavaScript utilities. Despite varying delivery mechanisms, the underlying exploitation of trust in dependency execution remains consistent. The report underscores the need for development teams to implement strict dependency pinning, disable unnecessary lifecycle scripts, and monitor for unexpected file-system deletions to mitigate such threats. Additionally, the Socket team continues to monitor and disclose these threats, offering tools like their GitHub App and CLI to detect sabotage-oriented behavior in open-source packages.