Kaspersky has revealed a sharp rise in software supply‑chain threats, reporting a 37% increase in malicious open‑source packages worldwide. By the end of 2025, Kaspersky telemetry detected almost 19,500 malicious packages hidden within open‑source projects, underscoring the growing risks facing modern software development.
Open‑source components have become foundational to today’s digital products, but attackers are increasingly exploiting their widespread adoption and trust. According to Kaspersky’s latest global study, supply‑chain attacks have emerged as the most common cyber threat confronting businesses over the past year, impacting organizations across sectors and geographies.
Recent incidents illustrate the scale and sophistication of these attacks. In April 2026, the official websites of CPU‑Z and HWMonitor—widely used hardware monitoring tools—were compromised, with legitimate downloads silently replaced by malware‑tainted installers. Kaspersky analysis showed the attack window lasted approximately 19 hours, affecting more than 150 victims across multiple countries, including users and organizations in retail, manufacturing, telecommunications, and agriculture.
“Completely eliminating supply‑chain risk is impossible, but it can be significantly reduced through continuous monitoring, collaboration, and the use of advanced security technologies.”
— Dmitry Galov, Head of Kaspersky GReAT Russia and CIS
In March 2026, attackers compromised Axios, one of the most widely used JavaScript HTTP clients, after hijacking a maintainer’s account. Poisoned versions introduced a phantom dependency that deployed a cross‑platform remote access trojan before erasing traces of itself. Earlier, in February, Notepad++ disclosed a supply‑chain compromise linked to a hosting provider incident, with attackers deploying multiple infection chains against organizations and individuals in Asia, Latin America, and beyond.
Kaspersky notes that 31% of enterprises globally have been affected by a supply‑chain attack in the last 12 months. While open‑source itself is not inherently less secure, the scale of dependency and rapid integration often outpaces visibility and control.
To mitigate risk, Kaspersky recommends continuous monitoring of open‑source components, adopting advanced detection and response platforms, staying informed through security advisories, preparing supply‑chain‑specific incident response plans, and working closely with suppliers to make security a shared responsibility.
As software ecosystems grow more interconnected, the findings highlight an urgent truth: protecting the supply chain is now a core requirement for digital resilience.
