In the first five months of 2026, security researchers have flagged more malicious packages on the npm registry than in all of 2024. A benchmark study published on arXiv in May 2026 tested leading detection tools against thousands of real-world malicious and benign npm packages and found that automated defenses routinely miss threats that use common evasion techniques. The findings land amid multiple industry reports documenting sharp year-over-year increases in malicious open-source packages across major registries, confirming that attackers are scaling their operations faster than the ecosystem can respond.
A growing attack surface hiding in plain sight
The npm registry serves as the default package manager for Node.js and underpins millions of JavaScript projects, from startup prototypes to enterprise platforms used by banks and hospitals. Its open-publish model means anyone can upload a package, and that accessibility has become a weapon. Threat actors now routinely upload packages containing hidden data-exfiltration scripts, dependency-confusion payloads, and obfuscated backdoors. A developer who installs one of these packages, sometimes after a single typo in a terminal command, can unknowingly push malicious code into production within hours through automated CI/CD pipelines.
The scale of the problem has grown sharply. Sonatype’s State of the Software Supply Chain report series, which catalogs malicious packages across npm, PyPI, and other registries, recorded a 156 percent spike in malicious packages during 2024. Checkmarx and Socket, two firms that monitor registry activity in real time, have separately documented sustained waves of typosquatting and dependency-hijacking campaigns targeting JavaScript developers throughout early 2026. While no single vendor has published a universally audited figure for the current period, the directional trend across multiple trackers points to continued rapid growth in weaponized package volume.
What the benchmark study actually found
The arXiv preprint, titled “Understanding NPM Malicious Package Detection: A Benchmark-Driven Empirical Analysis,” takes a different angle from vendor threat reports. Rather than counting attacks, the research team, affiliated with academic institutions listed in the preprint, built a controlled dataset of malicious and benign npm packages drawn from real registry activity, then ran that dataset through multiple detection tools to measure accuracy across specific evasion categories.
The results expose a troubling gap. Tools performed reasonably well against straightforward malicious payloads but struggled with packages that used install-script triggers, code obfuscation, or multi-stage execution to hide their intent. False negatives, where a scanner labels a dangerous package as safe, remained a persistent weakness across every tool tested. The precise miss rates varied by tool and evasion type, but the overall pattern was consistent: attackers who invest even modest effort in disguising their code can slip past automated defenses.
“The detection tools we evaluated showed a consistent blind spot for packages that defer malicious behavior to post-install scripts or split payloads across multiple modules,” the preprint’s authors wrote, underscoring that evasion complexity does not need to be sophisticated to succeed.
ArXiv, hosted by Cornell Tech, publishes preprints before formal journal peer review, so the study’s methodology is open for scrutiny but has not yet been independently validated through the traditional review process. That said, the dataset and tool configurations are publicly available, making the results reproducible for any security team willing to run the tests.
Where the picture is still incomplete
Counting malicious packages is harder than it sounds. Sonatype, Snyk, Checkmarx, and Socket each use proprietary telemetry and classification criteria, which means two vendors scanning the same registry can arrive at different totals. Some count unique package names that were flagged and removed; others tally distinct malware families or download events. The 73 percent year-over-year increase referenced in industry discussions reflects a real and measurable trend direction, but it does not trace to a single named report with a disclosed methodology. Readers should treat it as an approximate industry-consensus estimate rather than an audited statistic.
Attribution remains murky. Secondary reporting has linked npm supply-chain attacks to both financially motivated cybercriminal groups and state-sponsored operations, but the arXiv benchmark study does not assign blame to any specific actor. Without on-the-record confirmation from npm’s parent company, GitHub, about exact removal rates and response timelines, it is also difficult to gauge how quickly the registry neutralizes threats once external researchers flag them. GitHub has invested in package-signing initiatives and the OpenSSF Scorecard project, but the company has not published granular data on how many malicious uploads it intercepts before a single download occurs.
What developers and companies should do now
The benchmark study’s most actionable takeaway is specific: organizations should test their dependency-scanning tools against the evasion categories the researchers identified. If a scanner has never been evaluated against install-script triggers or obfuscated payloads, it may be missing the exact techniques attackers are actively using.
Beyond tool evaluation, baseline defenses still matter. Pinning dependencies to known-good versions, enforcing lockfile integrity checks, and requiring manual review of new or unfamiliar packages before they enter a build pipeline can block a significant share of attacks. Larger organizations are increasingly adopting internal package mirrors that only serve pre-vetted dependencies, removing direct exposure to the public registry entirely.
Volume is rising, but detection is not keeping pace
None of these defensive steps are new advice, but the benchmark data gives them fresh urgency. Every undetected malicious package that reaches a developer’s build system can propagate through cloud deployments and end-user applications in a matter of hours. The gap between attacker innovation and defender tooling has existed for years. What has changed in 2026 is the sheer volume of attempts, and the evidence that current tools are not keeping up. The institutional research community supporting open-access security research plays a direct role in making studies like this one available to practitioners who need them most, but acting on the findings rather than treating them as academic exercises remains the responsibility of registry operators, tool developers, and the companies funding open-source infrastructure.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
