Executive Summary
In 2025, GitHub's Advisory Database reported 4,101 reviewed advisories, marking the lowest count since 2021. This decline is attributed to a reduction in backfilling older vulnerabilities, while newly reported vulnerabilities increased by 19% year-over-year. Notably, npm malware advisories surged by 69%, driven by large-scale campaigns like SHA1-Hulud. Additionally, there was a significant rise in vulnerabilities related to resource exhaustion, unsafe deserialization, and server-side request forgery. These trends underscore the evolving threat landscape in open-source software. (github.blog)
The current relevance of this incident lies in the persistent and growing threats targeting open-source ecosystems. The increase in new vulnerabilities and sophisticated malware campaigns highlights the need for continuous vigilance and proactive security measures among developers and organizations relying on open-source components.
Why This Matters Now
The surge in new vulnerabilities and sophisticated malware campaigns in open-source software underscores the urgent need for enhanced security practices and proactive measures to protect against evolving threats.
Attack Path Analysis
An attacker infiltrated the software supply chain by compromising a third-party vendor, embedding malicious code into a widely used open-source library. Upon integration into the target's development pipeline, the malware executed, escalating privileges to gain administrative access. The attacker then moved laterally across cloud environments, establishing command and control channels to exfiltrate sensitive data, ultimately causing significant operational disruption.
Kill Chain Progression
Initial Compromise
Description
The attacker compromised a third-party vendor, embedding malicious code into an open-source library used by the target.
Related CVEs
CVE-2025-15265
CVSS 6.1svelte vulnerable to Cross-site Scripting
Affected Products:
Svelte svelte – < 3.50.0
Exploit Status:
no public exploitCVE-2026-23520
CVSS 8Arcane Has a Command Injection in Arcane Updater Lifecycle Labels That Enables RCE
Affected Products:
Arcane Arcane Updater – < 1.2.3
Exploit Status:
proof of conceptCVE-2026-22787
CVSS 6.1html2pdf.js contains a cross-site scripting vulnerability
Affected Products:
html2pdf.js html2pdf.js – < 0.10.0
Exploit Status:
no public exploit
MITRE ATT&CK® Techniques
Compromise Software Dependencies and Development Tools
Compromise Software Supply Chain
Compromise Hardware Supply Chain
Software Deployment Tools
Credential Dumping: LSASS Memory
Valid Accounts
Obfuscated Files or Information
Ingress Tool Transfer
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Ensure all system components and software are protected from known vulnerabilities
Control ID: 6.2
NYDFS 23 NYCRR 500 – Application Security
Control ID: 500.08
DORA – ICT Risk Management Framework
Control ID: Article 6
CISA ZTMM 2.0 – Implement supply chain risk management practices
Control ID: Supply Chain Security
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Computer Software/Engineering
Critical supply chain vulnerability exposure through open source dependencies, requiring immediate CVE assessment and enhanced egress security controls for development environments.
Banking/Mortgage
High-risk malware advisory alerts affecting npm packages threaten payment systems, demanding zero trust segmentation and encrypted traffic monitoring for compliance.
Health Care / Life Sciences
Open source vulnerability trends pose HIPAA compliance risks through potential data exfiltration, requiring threat detection and secure hybrid connectivity implementation.
Financial Services
Supply chain attacks via compromised packages threaten transaction integrity, necessitating multicloud visibility controls and inline intrusion prevention system deployment.
Sources
- A year of open source vulnerability trends: CVEs, advisories, and malwarehttps://github.blog/security/supply-chain-security/a-year-of-open-source-vulnerability-trends-cves-advisories-and-malware/Verified
- GitHub Advisory Databasehttps://github.com/advisoriesVerified
- About the GitHub Advisory database - GitHub Docshttps://docs.github.com/en/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/about-the-github-advisory-databaseVerified
- 2025 Open Source Vulnerability Trends — theAIcatchuphttps://opensourcebeat.com/article/a-year-of-open-source-vulnerability-trends-cves-advisories-and-malware/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it embeds security directly into the cloud fabric, potentially limiting the attacker's ability to move laterally and exfiltrate data.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: While Aviatrix CNSF primarily focuses on securing cloud workloads, it may not directly prevent the initial compromise through third-party vendors.
Control: Zero Trust Segmentation
Mitigation: Aviatrix Zero Trust Segmentation could likely limit the attacker's ability to escalate privileges by enforcing strict access controls and minimizing trust relationships.
Control: East-West Traffic Security
Mitigation: Aviatrix East-West Traffic Security would likely restrict the attacker's lateral movement by enforcing segmentation policies and monitoring internal traffic.
Control: Multicloud Visibility & Control
Mitigation: Aviatrix Multicloud Visibility & Control could likely detect and limit unauthorized command and control communications by providing comprehensive monitoring across cloud environments.
Control: Egress Security & Policy Enforcement
Mitigation: Aviatrix Egress Security & Policy Enforcement would likely restrict unauthorized data exfiltration by controlling and monitoring outbound traffic.
By implementing Aviatrix Zero Trust CNSF, the overall impact of the attack could likely be reduced, limiting operational disruption and data exposure.
Impact at a Glance
Affected Business Functions
- Software Development
- Application Security
- DevOps
Estimated downtime: 7 days
Estimated loss: $50,000
Potential exposure of sensitive application code and developer credentials.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to restrict lateral movement and enforce least privilege access.
- • Deploy East-West Traffic Security controls to monitor and secure internal communications.
- • Utilize Threat Detection & Anomaly Response systems to identify and respond to suspicious activities.
- • Enforce Egress Security & Policy Enforcement to control outbound traffic and prevent data exfiltration.
- • Establish Multicloud Visibility & Control to maintain oversight across all cloud environments.
