> Research Report · June 2026
The Poisoned Well
How AI-Assisted Coding Amplifies Open Source Supply Chain Attacks
Weekly downloads behind one phished maintainer
npm "qix", Sept 2025
Of AI-recommended packages don’t exist
Slopsquatting study
Malicious packages tracked since 2019
Sonatype, 2026
Median patch time vs. 28 days to exploit
CVE survival analysis
Open Source as a Malware Channel
On a Friday in late April 2026, attackers pushed a new release of elementary-data - a Python data-observability CLI downloaded more than a million times a month - to PyPI and a Docker image to GitHub Container Registry. The malware was not a classic install script but a single elementary.pth file that Python executes automatically on interpreter startup; it ran a multi-stage credential stealer targeting cloud keys, SSH keys, and .env contents. It was live about twelve hours.[1.1][1.2] Twelve hours is a long time when CI/CD runners - machines that exist specifically to hold many secrets at once - install your package automatically.
Nobody at the affected companies wrote that code. Nobody reviewed it. It arrived as a dependency, pulled in by a package manager, trusted by default. This is the pattern behind a category of attack that has gone from isolated incidents to industrialized campaigns in two years. The mechanics recur:
Maintainer account takeover. In September 2025, a phishing email from the lookalike domain npmjs.help compromised the npm account of a prolific maintainer known as “qix.” An adversary-in-the-middle page captured his password and his time-based 2FA code in real time, defeating the TOTP many assume is sufficient. Malicious versions of 18 foundational packages - including chalk and debug - went live with a combined ~2.6 billion weekly downloads.[1.3][2.2] The payload netted the attackers only about $50 in cryptocurrency.[2.5] The damage was trivial; the lesson was not.
Self-propagating worms. A week later, the Shai-Hulud worm harvested credentials from infected developer machines, then used stolen npm tokens to inject itself into other packages the victim maintained and republish them. The first wave compromised 500+ packages; a November 2025 wave moved to pre-install execution and exfiltrated secrets into 25,000+ attacker-created repositories.[1.5]
Industrialized publishing. By May 2026, a “Mini Shai-Hulud” operation used one compromised account to publish hundreds of malicious versions across the AntV ecosystem in a ~22-minute automated burst - and injected orphan commits to generate valid Sigstore/SLSA provenance for them.[1.6]
Long-game sleepers. The 2024 xz-utils backdoor took two years of trust-building; the WordPress “Essential Plugin” backdoor sat dormant eight months before activating across ~400,000 installations.[4.4] Patience is a tactic - and it specifically defeats the time-based defenses in section 07.
Two structural facts do the heavy lifting throughout: install-time (or import-time) code execution, which lets a package run before any of its real code is called, and transitive opacity - most of what you install, you never chose. Roughly 95% of vulnerabilities live in transitive dependencies you never picked directly.[4.3]
How Big Is This, Really?
Anecdotes mislead in both directions, so it is worth grounding the threat in numbers - and being clear about what they do and don't say.
The growth is steep and sustained, not a one-year spike. Sonatype, tracking malicious open source packages since 2019, reported the cumulative total passing ~845,000 by mid-2025 and approaching 1.2 million by early 2026, with ~454,600 newly discovered in 2025 alone - a ~75% year-over-year increase.[4.1] Earlier years were steeper still: counts roughly tripled in the 2024 reporting period, and ReversingLabs measured a ~1,300% rise in repository threats between 2020 and 2023.[4.2] The trajectory is clearly super-linear, though headline percentages moderate as the base grows.
But prevalence needs a denominator. Against an estimated 9.8 trillion package downloads in 2025, malicious packages are a small fraction of total volume.[4.1] The honest framing: the probability a given install is malicious remains low, but the blast radius when a popular package is hit is enormous, and the base rate is climbing fast.
In context with other vectors, the supply chain has moved from niche to mainstream: the Verizon 2025 DBIR found third-party involvement in breaches doubled from 15% to 30% in a single year.[2.4] And a structural weakness compounds it - around 80% of enterprise dependencies go un-updated for over a year,[4.1][4.3] so most organizations carry long exposure windows before any attack.
Cumulative Malicious Packages Tracked
Sonatype, discovered across npm / PyPI / others, since 2019
New malicious packages YoY (2025)
Of breaches now involve a third party
Why AI Makes It Bigger, Faster, Stranger
AI did not create supply chain risk, but it amplifies it through four distinct mechanisms. Precision matters - each calls for a different countermeasure, and some are present-day realities while others are emerging.
1 · More code, less scrutiny per decision (present). AI assistants raise the volume and velocity of code, and AI-generated code leans heavily on importing libraries. The human pause that once asked “do I trust this package?” is exactly the friction AI workflows remove. Sonatype notes attackers deliberately cluster malicious names around high-velocity tooling where dependency decisions are “frequent, repetitive, and time-boxed.”[4.1]
2 · Slopsquatting (present). Models invent plausible package names that don't exist. A study of 576,000 samples across 16 models found 19.7% of recommended packages did not exist - over 205,000 unique hallucinated names, repeated reliably enough to be an attacker's gift.[3.1] A proof of concept - the hallucinated huggingface-cli, registered empty - drew 30,000+ downloads in three months.[1.4] Typosquatting bet on human error; slopsquatting bets on machine error, at machine scale.
3 · AI lowers attacker costs too (accelerating). The 22-minute AntV burst is offense fully automated.[1.6] The same tooling that helps developers ship helps attackers generate convincing READMEs, commit histories, phishing pages, and payload variants faster than signature defenses adapt.
4 · Agents are credential-rich, manipulable targets (emerging). Agents plan, install dependencies, and run code with minimal supervision - in environments holding exactly what malware hunts. And their instructions can be poisoned: a malicious README or tampered “skill” file can carry injected commands a model follows, including “install this package.” When the entity choosing what to install is itself manipulable, dependency selection becomes a systems-security problem. This is the threat most likely to define the next two to three years - and the least covered by today's controls.
AI-recommended packages that don't exist
SLOPSQUATTING
Unique hallucinated package names observed
SPRACKLEN ET AL.
To publish 600+ malicious versions, AntV
AUTOMATION
Downloads of one empty hallucinated package
PROOF OF CONCEPT
> What to do now
No single control is sufficient. The landscape is best read as five competing schools of thought - each with a theory of the core problem and a demonstrated failure mode the others expose.
School 1 · Provenance
“Prove where it came from”
Why it's right
This school targets unverifiable origin: mandatory 2FA, trusted publishing (short-lived, workflow-bound tokens), and cryptographic attestation via Sigstore and SLSA provenance, proving a package was built from a specific source by a specific workflow. Critically, provenance was never designed to prove safety - its job is integrity, traceability, and accountability. Judged against that goal, it works.
Where it breaks
Two cracks, neither a fault of the goal. Attackers race hardening deadlines - the November 2025 Shai-Hulud wave was timed to use stolen long-lived tokens before npm's revocation deadline.[1.5] And provenance can be satisfied by a malicious actor: the AntV campaign produced malicious packages with valid provenance via orphan-commit injection.[1.6] The takeaway isn't “provenance is useless” (a straw man) but necessary and insufficient: a verifiably-sourced package can still be malicious.
School 2 · Vulnerability Scanning
“Match it against the database”
Why it's right. CVE-based scanners (npm audit, pip-audit, commercial SCA) cross-reference dependencies against OSV and NVD - concrete, auditable, compliance-friendly. The state of the art has matured beyond raw CVE counts: leading tools layer reachability analysis (does my code call the vulnerable function?) and EPSS (exploitation probability) on top of CVSS severity, claiming 80–90% reductions in irrelevant alerts.[4.5]
Where it breaks. The limit is definitional: supply chain malware is a zero-day at publish time. There was no CVE for elementary-data 0.23.3 in the twelve hours it mattered.[1.1] CVE scanning is essential for the long tail of unintentionally insecure code and structurally blind to the deliberately malicious publish. Better prioritization doesn't change what the database can't yet contain.
School 3 · Behavioral Analysis
“Watch what it does, not what it's called”
Why it's right
The most direct answer to malware. Instead of “is this a known-bad version?” it asks “does this release behave suspiciously?” - a sudden new install script, network access it never needed, obfuscated code, a maintainer-change pattern consistent with takeover. This is the model behind Socket's capability analysis, Sonatype's behavioral Repository Firewall (110,000+ malicious-package attempts blocked in a single 2025 quarter), and scanners like Datadog's GuardDog.[4.5][4.6] Some intercept the install itself. This is the best current defense against novel attacks.
Where it breaks
Two honest limits. Detection is only as good as the indicators - as Datadog's own researchers note, a payload that does not execute at install time and carries no recognizable signature is genuinely harder to catch.[4.4] And it is a race: detection windows measured in hours are impressive, and still long enough for a popular package to be installed hundreds of thousands of times before the block lands.
School 4 · Cooldowns
“Wait before you trust”
Why it's right - and genuinely valuable. If most malicious packages are detected and yanked within hours to days, refuse to install any version younger than ~7 days and let someone else's scanner find the malware first. The empirical case is strong: a 7-day cooldown would have blocked 8 of 10 recent incidents, 14 days all but one.[4.4] Against the dominant present-day pattern of fast, opportunistic publishes, cooldowns plausibly neutralize the large majority of attacks at near-zero cost, and well-designed implementations exempt security patches. The approach has reached core tooling - pip 26.1 ships first-class support.[4.4] The posture is unambiguous: adopt cooldowns.
Where it breaks. A cooldown is a bet that the malware executes during the window someone else is watching - exactly what a patient attacker breaks with a dormant payload that lies inert through the cooldown and activates later, after the package has aged into “trusted.” The sleepers in section 01 (xz at two years, Essential Plugin at eight months) are the existence proof.[4.4] Deploy cooldowns as a high-value mitigation, not a cure - and pair them with controls a sleeper cannot easily fake over time.
“Scan and pray” asks how fast you can detect a bad package after it enters your environment. “Curate and govern” asks what would have to be true for that package to never be eligible to enter in the first place.
School 5 · Organizational Governance
“Decide eligibility before anything enters”
The most powerful set of controls available to large organizations, and the most underdeveloped in most write-ups. Where the first four schools mostly detect, governance decides eligibility up front.
Approved dependency catalogs
Curate a vetted set of packages rather than the open registry, shrinking the attack surface from millions to hundreds. Google's Assured Open Source Software productizes this: 2,500+ Java/Python packages built, vetted, fuzzed, and signed across three assurance tiers.[4.7]
Internal mirrors / proxies
Pull-through repositories (Artifactory, Nexus) sit between developers and the public registry, so nothing enters without passing policy - and you retain a known-good copy if upstream is later compromised. This is also where a cooldown is most cleanly enforced.
Dependency review boards
A lightweight intake step for admitting a new dependency - evaluating maintenance health, license, maintainer concentration, and necessity. This addresses the “should I depend on this at all?” question no scanner answers.
Sustainability & procurement
The deepest controls address the root: under-resourced maintainers. Funding critical dependencies and treating critical OSS as a procured supplier reduces the burnout and account-takeover risk that xz and qix exemplify.[1.3] It is arguably the only control that touches the social root of the problem.
Where it breaks
Governance is expensive, slow to stand up, and creates friction that - if mismanaged - developers bypass, recreating the problem through shadow dependencies. Most justifiable for large or high-assurance organizations; least practical for small fast-moving teams.
Layering It: Architecture & Maturity
The honest unifying point. All five schools are downstream of a problem that is social and economic, not purely technical. Trust - who maintains this, are they funded, has their account been taken over - is not something a signature, a CVE database, a heuristic, or a waiting period can fully manufacture. Each control raises attacker cost; none removes the underlying problem. That is why defense-in-depth is a structural necessity, not a slogan.
Measure exposure windows, not snapshots. The traditional “are we vulnerable now?” is a snapshot, and snapshots mislead. A study mining 643,000 vulnerability-fix commits found a median 34 days from a CVE becoming visible to its fix landing - ~25 days for active projects, ~64 for inactive.[3.2] Meanwhile 75% of exploited vulnerabilities have a public exploit within 28 days.[3.3] The median patch often arrives after the typical exploit does. Mean-time-to-remediate hides this; survival analysis lets you state and verify “90% of criticals remediated within 30 days” against an explicit objective.[3.4] The corollary: treat version lag and maintenance health as first-class, leading risk signals. Freshness is a security metric - and with ~80% of dependencies un-updated for over a year, a neglected one.[4.1][4.3]
Close the loop for the agentic era. If models hallucinate packages and agents install them autonomously, the checks - does this exist, is it healthy, is this version mature enough to clear a cooldown, is the maintainer behaving normally? - must run before the install executes, programmatically, every time. Policy docs and training don't scale to agents; pre-flight verification does. A new class of tooling targets exactly this: MCP servers (the Model Context Protocol lets agents call external tools) embedding dependency intelligence into assistants like Claude Code, configured as a mandatory pre-flight check before the agent runs npm install or edits a manifest. An agent's training data cannot know a package was compromised last Tuesday, that a name doesn't exist, or that a release is nine hours old - a deterministic SCA call can. Several tools, OSS IQ among them, now ship dependency analysis as an MCP tool for this reason.[5.1] The durable point: verification belongs where the decision is made - in the agentic era, inside the model's loop, not a CI step the agent already ran past.
Defense-in-depth, developer outward
- 1Source / IDE / agent
Pre-flight verification at the moment of decision. Catches slopsquatting before a package is ever requested.
- 2Intake / registry boundary
Mirror or proxy enforcing an approved catalog and a cooldown window. Nothing enters that isn't eligible and aged.
- 3Build / CI
SCA + reachability/EPSS, behavioral scanning, SBOMs, provenance. Gates fail on maintenance-health and version-lag thresholds, not just CVEs.
- 4Governance (cross-cutting)
Intake review, risk-tiering of critical dependencies, sustainability relationships with key maintainers.
- 5Runtime / response
Malware-feed monitoring, an incident playbook (isolate, rotate, pin), and exposure-window tracking via survival curves.
A Maturity Model
Levels are cumulative - AI-Native sits on top of everything below it.
| Level | Core controls | Defends against | Primary gap |
|---|---|---|---|
| Basic | SCA (CVE scanning) + SBOM | Known, disclosed vulnerabilities; basic inventory | Blind to zero-day malware; no behavioral or trust signal |
| Intermediate | + Provenance / attestation + cooldowns | Integrity & traceability; the majority of fast opportunistic publishes | Sleepers & dormant payloads; valid-provenance malware |
| Advanced | + Behavioral analysis + governance (catalogs, mirrors, review, health gating) | Novel malware at publish time; eligibility decided before intake; long exposure windows | Resource-intensive; agent-driven installs still outside the loop |
| AI-Native | + Agent-integrated pre-flight verification (MCP) + exposure-window measurement | Slopsquatting; autonomous agent installs of stale / invented / compromised packages | The irreducible social trust problem (mitigated, never eliminated) |
Instrumented Trust
Open source is not the villain of this story - it is the victim, and it remains one of the most successful trust systems ever built. But that trust was calibrated for a world where humans chose dependencies slowly and attackers worked manually. Both assumptions are now false. The volume of trust decisions in software has exploded just as the cost of betraying that trust has collapsed.
The answer is not less AI and not less open source. It is instrumented trust: knowing, continuously and quantitatively, how healthy every link in your supply chain is; measuring exposure windows rather than averaging them away; layering provenance, scanning, behavioral analysis, cooldowns, and governance while staying honest that none defeats a patient adversary alone; and verifying - at machine speed, inside the loop - every decision a machine makes on your behalf.