Security researchers Kirill Boychenko and Philipp Burckhardt have released these important findings. They unmask the 2025 threat landscape of malicious open-source packages. In a recent blog post on Socket.dev, they highlighted six primary adversarial techniques that threat actors have adopted to infiltrate software ecosystems. This deeply troubling trend warrants a discussion of the security of widely used package managers, including npm and Go.
Our researchers found six foundational strategies. These are just some of the techniques and tactics they employ such as typoquatting, Go repository caching abuse, obfuscation, multi-stage execution, slopsquatting and abuse of legitimate services and developer tools. These techniques allow attackers to play off the blind trust that developers have in open-source projects.
Specific Malicious Packages
After a deep dive Into the malicious package identified os-info-checker-es6 was flagged as the biggest risk with 2,001 downloads. This package seems deeply tied to a larger campaign. Its connection to other dependent packages adds to the risk. Its purpose is to remotely siphon sensitive information from systems without the user’s knowledge.
Another package, “skip-tot,” is very popular with 94 downloads. This package consists of a preinstall.js file that parses Unicode “Private Use Access” characters and passes them to the next-stage payload. This level of sophistication indicates a greater trend towards more complex attack methodologies permeating the npm ecosystem.
“This campaign employs clever Unicode-based steganography to hide its initial malicious code and utilizes a Google Calendar event short link as a dynamic dropper for its final payload” – Veracode.
Defensive Strategies
Given these changes, Boychenko and Burckhardt argue that there is need for proactive defensive measures. To this end, developers should focus on behavioral indicators that might indicate nefarious conduct. Major ORM red flags include unanticipated postinstall scripts, overwriting files like robots.txt, and making outbound connections without authorization. They make a strong case for vetting third-party packages with extreme caution before adding them to your projects.
“Static and dynamic analysis, version pinning, and close inspection of CI/CD logs are essential to detecting malicious dependencies before they reach production” – Kirill Boychenko and Philipp Burckhardt.
The researchers wish to underscore the need to critically assess the full software supply chain. Such scrutiny is critical for minimizing the potential dangers associated with malicious packages. Developers are more able to protect their systems against quickly evolving threats by introducing strict checks and balances.