The software supply chain, especially the part built on open-source components, continued to face escalating threats in October 2025. Attackers are exploiting registry compromises, typosquatting, hidden dependencies and repository trust to move malicious code into many organisations’ build and deployment pipelines. At the same time, defense and governance efforts are ramping up: auditing tools, policy frameworks, SBOMs (software bills of materials), and regulatory pressures are gaining momentum. What follows is a breakdown of major incidents, emerging patterns and implications for defenders and open-source practitioners.
Major incidents
1. Surge in supply-chain attacks
Data from Cyble show 41 software supply-chain incidents reported in October 2025 – the highest monthly figure recorded, roughly 30 % above their previous peak in April. Ransomware-linked groups such as Qilin and Akira were identified as major contributors. Sectors under focus included IT, finance, healthcare, manufacturing and utilities.
2. Registry compromise: npm campaign “PhantomRaven“
Researchers uncovered the campaign PhantomRaven which infiltrated over 120 malicious packages in the npm registry. These packages stole GitHub tokens, CI/CD secrets and developer credentials. The attack used invisible URL-links and hidden code to evade dependency-detection tools.
3. NuGet typosquatting attack
A separate incident targeted the NuGet (.NET) registry: attackers used homoglyph/Unicode look-alike package names mimicking the legitimate Nethereum project. The nuance: NuGet’s identifier policy allows non-ASCII characters, which made the attack feasible.
4. Foundational infrastructure compromise: F5 breach
The breach of F5 (vendor of BIG-IP devices) was publicly disclosed in October. Because F5’s devices underlie critical infrastructure and government networks, the breach is a textbook supply-chain concern: a compromise of foundational tech impacts many downstream consumers.
5. Governance and transparency efforts
The OpenSSF October 2025 newsletter outlined key open-source supply-chain-security advances: an audit of the Scorecard tool, a free course on secure AI/ML-driven development, and evolving SBOM frameworks tied to the EU’s Cyber Resilience Act (CRA).
Patterns and themes
Shift from vulnerabilities to dependencies and trust. Traditional vulnerabilities (e.g., buffer-overflows) remain important. But supply-chain risk increasingly centers on trust-management: compromised build infrastructure, faulty dependencies, malicious packages, or hidden code that only activates in target environments. The updated OWASP Top 10 acknowledges this: “Software Supply Chain Failures” is now a top category.
Registry attacks and package ecosystem abuse. Both npm and NuGet were exploited. Attackers are increasingly adept at registry-level attacks: publishing malicious code, using typosquatting, hiding payloads in dependencies or injecting code via invisible characters.
Critical-infrastructure and vendor supply-chain risk. The F5 incident highlights that supply-chain risk is not only about open-source packages: proprietary vendors, firmware and appliance vendors can be vectors too.
Emerging role of AI/LLMs. While direct AI-generated attacks in October are less documented, research showing stealthy attacks plus reliance on AI/LLM code-generation (e.g., from the Google Open Source Blog) suggest that AI expands the attack surface (e.g., by generating code with hidden dependencies or insecure patterns).
Governance, SBOMs and policy catching up. The OpenSSF newsletter and other industry commentary show increased emphasis on SBOMs, license compliance, build-chain transparency and regulatory frameworks (e.g., CRA). This shift is crucial given the speed and scale of attacks.
Implications for defenders and open-source maintainers
For organizations using open-source components:
- Treat dependencies as first-class security risk: monitor not only direct dependencies but transitive ones and registry trust.
- Employ SBOMs and automate pipelines to detect unwanted licenses or malicious packages. For example the SBOM generation + license compliance feature announced by RunSafe Security (though published in November, the capability is relevant).
- Segment and limit build/CI/CD system credentials and tokens: the PhantomRaven incident shows how token theft via developer machines leads to broad compromise.
- Vet package registry rules: if you rely on NuGet, check whether your organization enforces ASCII identifiers or restricts look-alikes. The NuGet incident shows gaps.
For open-source projects and maintainers: - Maintain strong identity and publishing practices: vet new maintainers, audit commits, monitor typosquat attempts.
- Provide SBOMs for your project, declare license obligations clearly.
- Consider supply-chain-specific protections: audit build infrastructure, enforce reproducible builds, sign artifacts (see projects like Sigstore).
For policy makers and ecosystem stakeholders:
- Encourage funding and support for critical open-source infrastructure. The “digital sovereignty” discussion in the EU (e.g., via proposed sovereign tech funds) is relevant.
- Require transparency via SBOMs or similar from vendors and suppliers, especially for critical infrastructure.
- Adapt governance to address supply-chain risk: not just “patch this bug” but “who builds, signs and delivers this software?”
October 2025 was a salient month for open-source software supply-chain security. Attack volumes reached record highs, registry compromises proliferated, and foundational vendor breaches reminded us that supply-chain risk is broad and systemic. On the defense side, governance, tooling and transparency efforts are stepping up, but attackers continue innovating and exploiting weak links.