![[Webinar] From Code to Cloud to SOC: Learn a Smarter Way to Defend Modern Applications](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjLbNLee9VlpBpNmlxQSBF7IHwrQajzAJWYjhcHTIVVqzroGXrpk_x9Sbbua1Xi-QtO9jbcX1canKTWWzfaOshSarJol1Ude7LNQMeV5B2x71gaXxWg_cjEJ3bPuuoyyyMLgWB9hCtZ1PV5j3QOGByinGCAETqul2WWz-mVYiuERYWPVu7ob8lSckM-ocw/s1600/soc.jpg?#)
![[The AI Show Episode 147]: OpenAI Abandons For-Profit Plan, AI College Cheating Epidemic, Apple Says AI Will Replace Search Engines & HubSpot’s AI-First Scorecard](https://www.marketingaiinstitute.com/hubfs/ep%20147%20cover.png)
![How to Enable Remote Access on Windows 10 [Allow RDP]](https://bigdataanalyticsnews.com/wp-content/uploads/2025/05/remote-access-windows.jpg)
![Artist Shocked To Find Her Poster Designs From 2017 In Bungie's Marathon: 'A Major Company Has Deemed It Easier To Pay A Designer To Imitate Or Steal My Work Than To Write Me An Email' [Update]](https://i.kinja-img.com/image/upload/c_fill,h_675,pg_1,q_80,w_1200/4ce7afff77473c3cccca9cc349c42790.jpg)
-Olekcii_Mach_Alamy.jpg?width=1280&auto=webp&quality=80&disable=upscale#)
![Apple tests EU by adding scare screens to apps using third-party payments [u]](https://photos5.appleinsider.com/gallery/63640-132334-000-lede-App-Store-warning-xl.jpg)
![Apple using sketchy warning for apps bought using third-party payment systems [Updated]](https://i0.wp.com/9to5mac.com/wp-content/uploads/sites/6/2025/05/Apple-using-scary-looking-warning-for-apps-bought-using-third-party-payment-systems.jpg?resize=1200%2C628&quality=82&strip=all&ssl=1)
![Sony WH-1000XM6 Unveiled With Smarter Noise Canceling and Studio-Tuned Sound [Video]](https://www.iclarified.com/images/news/97341/97341/97341-640.jpg)
![Watch Aston Martin and Top Gear Show Off Apple CarPlay Ultra [Video]](https://www.iclarified.com/images/news/97336/97336/97336-640.jpg)
![Apple Slaps Warnings on Apps Using External Purchases in the EU [Updated]](https://images.macrumors.com/t/Zy0e-JLM0fNyngEYaXu5rMH1lJk=/1920x/article-new/2025/05/app-store-external-payments-warning.jpg)
Threat Actors Weaponizing Open Source Packages to Deliver Malware in Supply Chain Attack
In the first half of 2025, cybersecurity experts have observed a significant rise in threat actors targeting the software supply chain through weaponized open source packages. These attacks leverage the implicit trust developers place in third-party dependencies, transforming seemingly benign libraries into vehicles for delivering sophisticated malware like infostealers, remote shells, and cryptocurrency drainers. Modern […] The post Threat Actors Weaponizing Open Source Packages to Deliver Malware in Supply Chain Attack appeared first on Cyber Security News.
In the first half of 2025, cybersecurity experts have observed a significant rise in threat actors targeting the software supply chain through weaponized open source packages.
These attacks leverage the implicit trust developers place in third-party dependencies, transforming seemingly benign libraries into vehicles for delivering sophisticated malware like infostealers, remote shells, and cryptocurrency drainers.
Modern software development practices have created an expansive attack surface, with 70-90% of typical codebases consisting of third-party packages.
With billions of downloads occurring weekly from registries like npm and PyPI, attackers have identified a fertile ground for malware distribution, exploiting the complexity where a single package can pull in dozens of nested dependencies.
Socket.dev researchers identified multiple campaigns where threat actors deployed malicious code across major package ecosystems, including npm, PyPI, and Go Module.
Their analysis revealed how attackers are exploiting the interconnectivity of modern package ecosystems, where developers almost never inspect every transitive dependency, and automated CI pipelines may blindly install the latest versions.
The impact of these supply chain attacks extends far beyond individual developers, affecting organizations worldwide that unknowingly incorporate compromised packages into their products.
As AI-assisted development accelerates code integration without thorough inspection, the risk continues to grow, with attackers adapting their techniques to bypass traditional security measures.
.webp)
Among the various techniques employed by threat actors – including typosquatting, repository abuse, obfuscation, and weaponizing legitimate services – multi-stage malware deployment stands out for its effectiveness in evading detection while maximizing impact.
Multi-Stage Malware: Deferred Payloads and Staged Execution
Multi-stage malware segments functionality across several payloads, starting with lightweight code that appears harmless during initial scanning.
In one campaign linked to North Korean threat actors, Socket.dev researchers discovered a package delivering a loader called “BeaverTail” that stole browser data and cryptocurrency wallet credentials before fetching a more advanced backdoor named “InvisibleFerret”.
The first-stage code demonstrates the stealthy approach used:-
async function uploadFiles(basePath, prefix, includeSolana, timestamp) {
if (!testPath(basePath)) return;
for (let i = 0; i {
if (!error) {
// Extract and execute
}
});
}This deferred execution strategy keeps initial code small and less suspicious, while allowing threat actors to maintain persistence and execute more damaging payloads later.
By hiding in plain sight within trusted development workflows, these supply chain attacks represent a growing threat requiring specialized detection techniques focused on behavioral signals rather than static signatures.
How SOC Teams Save Time and Effort with ANY.RUN - Live webinar for SOC teams and managers
The post Threat Actors Weaponizing Open Source Packages to Deliver Malware in Supply Chain Attack appeared first on Cyber Security News.
