Safeguard
Open Source Security

Why Malicious Package Counts Are Rising Faster Than Detec...

Malicious packages hit 245,000+ in 2023 alone, outpacing 2019-2022 combined. Here's why detection tooling can't keep up, and how the gap actually closes.

Vikram Iyer
Security Researcher
8 min read

In November 2018, security researchers found a backdoor hidden three dependencies deep inside event-stream, a popular npm package with roughly 2 million weekly downloads. The payload, flatmap-stream, sat quietly for two months before it started targeting a specific Bitcoin wallet application. At the time, that kind of incident was rare enough to make headlines for weeks. It no longer is. Sonatype's State of the Software Supply Chain research found 245,032 malicious packages published across open source registries in 2023 alone — more than the combined total from every prior year the report had tracked. npm now hosts more than 3 million packages, PyPI over 500,000, and both registries add thousands of new ones daily. Attackers are publishing malware at a pace that scanning teams, registry moderators, and static-signature tools were never built to match, and the gap between what's published and what's caught is widening every quarter.

How Fast Is Malicious Package Volume Actually Growing?

Malicious package counts have grown roughly 3x year-over-year since 2020, far outpacing registry growth itself. Sonatype's 2022 report logged about 88,000 confirmed malicious packages for that year, describing a 742% average annual increase in malicious component volume over the preceding three years. By 2023 that figure jumped to 245,032 — a single-year total larger than 2019 through 2022 combined. Socket's research team has reported similar acceleration on npm specifically, flagging thousands of newly published packages per month exhibiting install-time scripts that exfiltrate environment variables, SSH keys, or cloud credentials. This isn't a one-off spike tied to a single campaign; it's a sustained curve. Open source package counts overall have grown at a steady, roughly linear rate for a decade. Malicious package counts have grown exponentially over the same window, which means the ratio of bad packages to total packages is getting worse even as absolute registry size grows.

Why Can't Registries Catch These Packages Before Publication?

Registries can't catch most of this before publication because npm, PyPI, and RubyGems were designed as open, low-friction publishing platforms, not as gated software marketplaces. Anyone with an email address can publish to npm in minutes, and there is no mandatory code review, sandboxed execution check, or identity verification step before a package goes live. npm's own security team has historically numbered in the dozens, reviewing a registry that receives on the order of 5,000+ new package versions per day. PyPI runs a similar model, relying heavily on community reporting through tools like pypi-malregistry takedown requests rather than pre-publish inspection. When node-ipc's maintainer shipped a self-sabotaging update in March 2022 that wiped files on machines with Russian or Belarusian IP addresses, it reached production systems before anyone flagged it, because nothing in the publish pipeline executes or inspects install scripts by default. The publishing model that made these ecosystems successful — near-zero friction — is the same model that makes pre-publication filtering nearly impossible at current staffing and tooling levels.

Are Detection Tools Falling Behind Because of a Technology Gap, Not Just a Staffing Gap?

Detection tools are falling behind because most still rely on static signature and reputation matching, which structurally cannot catch novel or obfuscated payloads on first sight. Traditional scanners compare package hashes, known malicious strings, or dependency trees against existing threat databases — effective against reused malware, useless against a payload that has never been seen before. The 2021 ua-parser-js compromise, which affected a library with over 7 million weekly downloads, used a dropper that fetched its actual cryptomining and credential-stealing payload from a remote server only after installation, so static analysis of the published code found nothing unusual. Behavioral and runtime analysis tools exist, but they're computationally expensive to run at registry scale and are typically deployed only in enterprise pipelines, not at the registry ingestion point where the first exposure happens. The result is a detection lag measured in days to weeks for behaviorally novel attacks — plenty of time for a package to accumulate thousands of downloads.

What Techniques Are Letting Attackers Move Faster Than Ever?

Attackers are moving faster because typosquatting and dependency confusion attacks are now semi-automated, and generative AI has added a new attack surface entirely. Typosquatting — publishing reqeusts or python3-dateutil to catch fat-fingered installs — used to require manually watching download stats for popular packages. Researchers at Phylum and Checkmarx have documented automated tooling that generates hundreds of typosquat variants of popular package names and publishes them in bulk within hours of a legitimate package trending. More recently, security researchers have identified "slopsquatting" — attackers registering package names that large language models hallucinate when asked to suggest dependencies, then waiting for developers who copy-paste AI-generated code to pip install or npm install a package that doesn't actually exist yet, until the attacker creates it. A 2024 academic study analyzing over 500,000 code samples from 16 LLMs found that roughly 20% of recommended packages didn't exist, with some models hallucinating nonexistent package names in more than a third of outputs. That's a supply chain attack surface that didn't exist three years ago, growing in parallel with everything else.

What Happens When a Malicious Package Actually Slips Through?

When a malicious package slips through, the damage compounds through the dependency tree faster than most teams can react, because modern applications rarely depend on just the packages they explicitly install. A typical Node.js project imports a handful of direct dependencies that in turn pull in dozens or hundreds of transitive ones. The 2024 discovery of a backdoor in xz-utils (CVE-2024-3094) — inserted over roughly two years by a contributor who had earned commit access through patient, legitimate-looking contributions — showed how a single compromised component that ships inside SSH-adjacent tooling could have provided remote code execution across a large share of Linux server infrastructure had it not been caught by a Microsoft engineer investigating unrelated performance anomalies. That near-miss was caught by luck and one unusually attentive individual, not by process. Most organizations don't have that luck, and by the time a malicious package is delisted from a registry, it has typically already been cached in private mirrors, CI build artifacts, and lockfiles that won't be revisited until the next dependency audit — which for many teams happens annually at best.

Is This Just an npm and PyPI Problem, or Is It Ecosystem-Wide?

This is an ecosystem-wide problem, not an npm-specific one — every major package registry has recorded rising malicious package counts over the same period. RubyGems, crates.io, Maven Central, NuGet, and Go's module proxy have all published or been the subject of research documenting credential-stealing, cryptomining, or destructive packages since 2022. The common thread isn't the language or registry design; it's that every one of these ecosystems optimized for frictionless publishing and grew popular enough to become a worthwhile target. Attackers follow developer adoption, and as language ecosystems like Rust and Go have grown, malicious package activity in crates.io and the Go module proxy has grown alongside them, just a step behind the volume seen in npm and PyPI because those ecosystems are still smaller. The lesson from watching this pattern repeat across five-plus registries is that detection capacity has to be treated as a permanent, ecosystem-wide arms race rather than a problem any single registry will solve on its own.

How Safeguard Helps

Safeguard is built around the assumption that signature-based, post-publication detection will never fully close this gap on its own, so we focus on giving engineering and security teams control points earlier and later in the pipeline than most tools reach. On ingestion, Safeguard continuously monitors package registries and rescans dependencies already in use as new threat intelligence emerges, rather than relying on a one-time scan at install time — so a package that looked clean last month but gets flagged today doesn't sit quietly in your lockfile for another year. Behavioral analysis of install scripts, network calls, and file system access flags suspicious patterns even when no known signature matches, addressing the exact blind spot that let incidents like ua-parser-js go undetected at publication.

For the dependency-confusion and typosquatting techniques driving so much of the current volume, Safeguard enforces policy gates directly in CI/CD and pull request workflows, blocking newly published, low-reputation, or name-similar packages before they merge rather than after they've shipped to production. Safeguard also maintains real-time SBOM visibility across your full dependency tree, including transitive dependencies, so when the next xz-utils-style compromise surfaces, you can identify exposure in minutes instead of days of manual dependency archaeology. The goal isn't to promise perfect detection — no single vendor can claim that against 245,000-plus new malicious packages a year — but to compress the window between publication and detection, and to make sure a missed signature at the registry level isn't the only thing standing between an attacker and your production environment.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.