In 2025, open source supply-chain security stopped being “mostly about dependency hygiene” and became, unmistakably, a story about adversaries targeting the systems of software production-CI/CD automation, maintainer identities, registry mechanics, and the incentives that power ecosystems. The year’s defining incidents were less about a single ubiquitous backdoor and more about repeatable playbooks: compromise something upstream, propagate through automation, and monetize at scale-whether via secrets theft, credential replay, or sheer ecosystem flooding. At the same time, policy and industry moved from principles to enforceable expectations, with Europe’s Cyber Resilience Act (CRA) and its SBOM-related requirements looming over product teams that ship software at industrial volume.
What follows is a chronological narrative of the major 2025 events and why they mattered.
Q1 2025: CI/CD becomes the front door
The tj-actions/changed-files compromise and the “Action-as-dependency” wake-up call (March)
Early 2025’s most widely felt supply-chain story wasn’t a package registry incident-it was a compromise of a popular GitHub Action. In mid-March, tj-actions/changed-files was tampered with in a way that could expose secrets through workflow logs, impacting a very large downstream set of repositories. CISA issued an alert describing the compromise and urging immediate remediation, and the issue was tracked as CVE-2025-30066.
Multiple analyses converged on a key lesson: “dependencies” include CI building blocks. GitHub Actions are frequently pinned loosely (or not pinned at all), executed with powerful tokens, and run in contexts where secrets exist by design. Palo Alto Networks’ Unit 42 described how the compromised action could enable attackers to access workflow secrets used by thousands of repos.
Additional incident writeups highlighted a chain-of-compromise dynamic-where one action’s compromise can propagate into others that depend on it.
Why it mattered in 2025: this incident made “secure-by-default CI” an urgent operational priority, not a best practice. Rotating credentials, pinning actions by immutable commit, reducing token scope, and hardening runners stopped being optional checklists and became a necessary response to an ecosystem where build-time is a prime target.
Q2 2025: Package registries absorb constant-pressure attacks
Typosquatting and “name confusion” as a reliable intrusion vector (May)
By late spring, reporting showed how attackers continued to lean on old-but-effective mechanics-typosquatting, lookalike packages, and dependency confusion patterns-because they scale cheaply and exploit human autopilot. Checkmarx detailed a campaign abusing name confusion/typosquatting in PyPI and npm, including targeting a well-known Python package name to lure installs.
Why it mattered in 2025: this phase underscored that registry security is not only about detecting malware payloads; it’s about constraining ambiguity-names, maintainership, and account recovery paths-so that “developer intent” is harder to spoof.
Q3 2025: Credential theft and malware delivery accelerate
PyPI malware with real post-exploitation capability (August-September)
In 2025, PyPI saw repeated waves of malicious uploads that weren’t merely nuisance scripts-they carried capabilities aligned with real intrusions. Zscaler’s ThreatLabz reported malicious PyPI packages delivering a Python-based RAT (“SilentSync”) with remote command execution and data theft behavior.
Separately, ecosystem defenders and press coverage highlighted PyPI’s response to account takeover vectors such as “domain resurrection” (expired maintainer domains being re-registered to hijack password resets). This was a notable shift: registry operators started closing structural gaps that enable account compromise at scale, not just removing individual malicious packages.
Why it mattered in 2025: malware campaigns increasingly assumed they’d get some installs. The attacker problem became persistence and monetization; the defender problem became prevention of publication abuse and account takeover, not just detection after the fact.
npm: from targeted compromises to ecosystem-scale events (August-September)
On the JavaScript side, several analyses documented how attackers targeted the npm ecosystem via token theft and compromised automation. Sonatype described a timeline where attackers exploited CI workflow weaknesses to steal publishing tokens and push malicious versions into widely used packages, illustrating the tight coupling between CI security and registry integrity.
By early September, JFrog characterized one incident as the largest npm attack in history at the time, emphasizing the blast radius when popular packages are trojanized and widely consumed.
Why it mattered in 2025: npm’s volume and transitive dependency depth create a uniquely favorable terrain for attackers. 2025 reinforced that “package compromise” is often the final step-the earlier step is stealing the ability to publish.
Q4 2025: Worm-like propagation, cross-ecosystem spread, and incentive abuse
Shai-Hulud: large-scale npm compromise and worm-like behavior (November)
Late 2025’s most discussed open-source supply-chain campaign was “Shai-Hulud,” described across multiple reports as an expansive npm compromise characterized by credential theft and propagation dynamics. GitLab reported a large-scale npm campaign involving an evolved “Shai-Hulud” malware variant spreading through packages.
Wiz described trojanized packages uploaded over a tight window in late November and behavior focused on exfiltrating secrets from developer and CI environments.
PyPI’s own blog also referenced the ongoing npm campaign and the way compromised accounts and credential exfiltration can fuel further spread.
The story then broadened: reporting indicated the “v2” wave spilled beyond npm into the Maven ecosystem, illustrating how actor tradecraft and tooling can migrate across language communities when the underlying weaknesses (credentials, automation, trust) are similar.
Why it mattered in 2025: this was a clear demonstration of worm economics in software supply chains-malware designed to harvest secrets and self-propagate through developer infrastructure can compound faster than defenders can manually respond, especially when secrets and publishing rights are abundant.
“Token farming” and package flooding: not all supply-chain abuse looks like malware (October-November)
Another defining 2025 theme was the industrialization of registry abuse for financial incentive-even when the packages are not immediately destructive. AWS described identifying and reporting over 150,000 npm packages linked to a coordinated token-farming campaign (associated with tea.xyz signals), framing it as one of the largest package flooding incidents in registry history.
Endor Labs’ writeup emphasized the persistence and scale of the spam campaign and how long such junk can remain in the ecosystem.
Why it mattered in 2025: this shifted the conversation from “malware detection” to “ecosystem integrity.” Flooding attacks degrade search, raise noise, create future staging grounds for bait-and-switch updates, and impose real costs on maintainers and defenders-even before a single payload triggers.
The policy backdrop in 2025: compliance pressure becomes product pressure
While incidents dominated headlines, 2025 also pushed supply-chain security into the realm of product governance. The EU Cyber Resilience Act (CRA) continued to solidify expectations around secure development, vulnerability handling, and transparency for products with digital elements. European Commission materials described the CRA’s intent and scope, reinforcing that cybersecurity properties are becoming market-access requirements.
Analyses of the CRA highlighted SBOM obligations and long-tail compliance timelines, shaping 2025 planning even if enforcement peaks later.
Why it mattered in 2025: teams increasingly treated SBOMs, provenance, and vulnerability response not as “security program maturity,” but as shipping requirements that would affect procurement, audits, and ultimately revenue.
What 2025 changed: the durable lessons
CI/CD is now a first-class supply-chain attack surface. The GitHub Actions compromise made it clear that build steps are dependencies with privileged access, and must be governed like code.
- Account and token security is the choke point. Many registry compromises reduce to stolen publishing rights-through compromised maintainers, leaked tokens, or abused automation.
- Registry integrity includes abuse resistance. Token-farming floods and spam campaigns showed that “supply chain” includes the economic and operational health of registries, not just malware payloads.
- Cross-ecosystem propagation is real. The late-year reporting about campaign spillover from npm into Maven reinforced that attacker playbooks are portable.
- Compliance is becoming a forcing function. CRA-driven transparency and lifecycle security expectations shaped 2025 roadmaps even where technical details vary by organization.