Sonatype's 2026 State of the Software Supply Chain report puts a hard number on a trend most security teams have felt anecdotally for years: open-source malware volume grew 75% in 2025, with 454,600 newly identified malicious packages pushing the cumulative total the firm has catalogued and blocked past 1.233 million across npm, PyPI, Maven Central, NuGet, and Hugging Face. Over 99% of that activity concentrated on npm alone. Meanwhile the infrastructure meant to triage the resulting vulnerability data is straining under its own growth — the National Vulnerability Database enriched roughly 42,000 CVEs in 2025, 45% more than any prior year, and still ended the year with a backlog exceeding 27,000 unenriched entries. Two real incidents from this window illustrate why the volume matters: the September 8, 2025 compromise of the npm chalk/debug package family (roughly 2.6 billion combined weekly downloads) and the March 2024 discovery of a multi-year-planted backdoor in XZ Utils, tracked as CVE-2024-3094. Neither was caught by a registry's automated defenses — both were caught by people. This piece walks through what the disclosure data actually shows, incident by incident and number by number.
How much has open-source malware actually grown?
Sonatype's 2026 report is the clearest single data point: 454,600+ new malicious open-source packages were identified in 2025, a 75% year-over-year increase, bringing the running total of known malicious or blocked packages past 1.233 million since Sonatype began tracking. The npm registry accounted for more than 99% of that activity, dwarfing PyPI, Maven Central, NuGet, and Hugging Face combined — a reflection of npm's low publish friction and its position as the default registry for both frontend and increasingly backend JavaScript. Sonatype's taxonomy breaks the malicious corpus into two dominant categories: repository abuse, meaning automated mass-publishing campaigns, at 55.9% of logged malicious packages, and Potentially Unwanted Applications — empty placeholder packages, hardcoded-credential demo code, and spam-bot frameworks — at 27.5%. The report also flags a qualitative shift: state-linked actors, naming the Lazarus Group specifically, have moved from single-stage droppers to five-stage payload chains designed to evade single-point detection. Volume and sophistication are rising together, not one at the expense of the other.
What did the September 2025 npm chalk/debug compromise actually prove?
It proved that a registry's most-downloaded packages remain reachable through a single phished maintainer, not through any flaw in the packages' code. On September 8, 2025, maintainer Josh Junon ("qix") was phished via a fake npmjs.help two-factor-reset email and lost control of publishing rights to chalk, debug, ansi-styles, strip-ansi, and 14 other packages — 18 total, with combined weekly downloads around 2.6 billion. Malicious versions went live at 13:16 UTC; the community flagged the anomaly by roughly 15:20 UTC; reverted packages were live within about two hours. The payload itself was narrowly scoped and browser-only: it hooked window.ethereum and fetch calls to swap cryptocurrency wallet addresses for attacker-controlled ones, using Levenshtein-distance matching to pick a visually similar substitute address rather than an obviously wrong one. The fast community response limited real-world losses, but the incident showed that "most downloaded" is not a proxy for "most defended" — maintainer account security, not code review, was the actual failure point.
What did the XZ Utils backdoor reveal about supply chain trust?
It revealed that a years-long social-engineering campaign against a single maintainer can plant a backdoor deep enough to reach OpenSSH — and that detection can still come down to one engineer noticing something felt slow. Microsoft engineer Andres Freund discovered anomalous SSH login latency, investigated starting around March 28, 2024, and reported findings to the Openwall oss-security mailing list on March 29, 2024. The backdoor lived in liblzma versions 5.6.0 and 5.6.1, introduced by a contributor known as "Jia Tan" who had spent roughly two years building trust and commit history within the XZ Utils project before landing the malicious build-time code, tracked as CVE-2024-3094. Because liblzma sits several dependency layers beneath sshd on affected distributions, no dependency-manifest scan looking only at direct dependencies would have surfaced it — the vulnerable code was reachable only by following the actual transitive chain down through the build system, which is exactly the layer most SCA tools historically stop short of inspecting closely.
Why is the CVE enrichment pipeline itself becoming a bottleneck?
Because the volume of disclosed vulnerabilities is growing faster than the enrichment capacity meant to make them actionable. NVD enriched approximately 42,000 CVEs in 2025 — 45% above any previous year — yet still finished 2025 with a backlog north of 27,000 unenriched vulnerabilities, and 2026's total CVE volume is projected to surpass 60,000, roughly ten times the annual count from a decade ago. Compounding the problem, NIST's NVD and CISA's Vulnrichment program run overlapping, loosely-coordinated enrichment efforts rather than a single pipeline, which duplicates effort without closing the gap. As of April 15, 2026, NVD reprioritized its enrichment queue to address CISA Known Exploited Vulnerabilities-listed CVEs, federally-used software, and EO-14028 "critical software" first — everything else is now explicitly marked "Not Scheduled." For any team relying on CVSS scores or CPE matching straight out of NVD, this means a growing share of disclosed CVEs simply won't get authoritative severity data in a useful timeframe, and internal reachability and impact analysis has to fill that gap.
What do these trends mean for how teams should scan dependencies?
They mean that shallow, manifest-only scanning increasingly misses the incidents that matter most, because both the XZ backdoor and the majority of Sonatype's cataloged malware sit several layers into the transitive tree rather than in a project's direct dependencies. Safeguard's deep dependency scanning resolves the full transitive graph to a depth of 100 levels — well past the 50-60 level ceiling common among SCA tools — specifically because incidents like SolarWinds SUNBURST and the xz-utils backdoor were several levels deep, and cites both as the motivating cases for going beyond typical scan depth. On the malware side, Safeguard's Eagle classification model scores every package publish across npm, PyPI, Maven Central, RubyGems, NuGet, crates.io, Go modules, and Composer against seven indicator classes — including install-script behavior and credential-harvesting patterns — which is the category of automated detection that has to scale alongside the 75% year-over-year growth Sonatype documented, since no security team can manually review 454,600 new packages a year. Depth and classification together address what the 2025 data shows plainly: volume alone will keep outpacing manual triage.