Before we dive into 2026, let's take a quick look back at how we closed out 2025 with an overview of malicious packages we found in NPM and PyPI for December.
In December 2025, our team tracked 3,683 unique malicious packages across these two ecosystems. Threat actors continued to exploit developer trust, typosquatting, dependency confusion, and social engineering among the most common techniques. Here's what we saw.
December by the Numbers
Total malicious packages: 3,683
NPM: 1,887 (51%)
PyPI: 1,796 (49%)
NPM vs PyPI: Where the Threats Are
NPM continues to lead in raw volume, which isn't surprising as this is a pattern we’ve seen all year. The combination of install scripts that execute automatically, minimal barriers to publishing with limited package vetting, a massive package count, and a culture of micro-dependencies creates fertile ground for attackers. A typosquat on a popular utility has a reasonable chance of getting installed before anyone notices.
PyPI isn't far behind. The ecosystem saw 1,796 malicious packages in December alone. Python's setup.py execution model and the growing use of Python in AI/ML pipelines make it an attractive target. Attackers know that data scientists and ML engineers may not scrutinize dependencies the way seasoned security teams do. This is why it's critical to gain complete visibility into environments and not just production code, which is something we at Safety are working to solve.
Spotlight: The ChatClub Campaign Continues
Among our detections, a couple of packages stood out: @chatgptclaude_club/claude-code and @chatclub1/claude-code. These are part of an ongoing campaign we've been tracking that typosquats AI developer tools.
The tactic is straightforward but effective. As AI coding assistants like Claude Code gain popularity, developers searching for packages may mistype or trust similarly named packages. These packages deployed a sophisticated payload that steals Anthropic API credentials while also establishing a bidirectional command-and-control (C2) channel, allowing threat actors to proxy victims' Claude sessions and exfiltrate prompts, conversations, and billing data. For a deeper technical breakdown, check out our earlier analysis of the ChatClub campaign.
Interestingly, Claude doesn't only have to be the victim here; it can also be the tool we leverage to make sense of the obfuscation. Feeding the payload to Claude helped us quickly deobfuscate the code and understand what it was actually doing.
This campaign has persisted across multiple months, which tells us threat actors are paying attention to the same trends we are. The AI tooling hype cycle is creating new social engineering opportunities, and we expect this pattern to continue into 2026.
Other Findings
Not everything flagged as malicious is criminal in nature. Some of the packages our AI-powered malware detection engine identified were CTF (Capture the Flag) challenge packages, researchers and developers publishing tests and PoCs, and other unwanted code. These represent the gray area between security research, education, and actual threats - not fully malicious, but certainly not things you want running in your systems.
These findings reinforce an important point: "malicious" is a spectrum. Defenders need tooling that catches everything from sophisticated stealers to questionable research packages, then human judgment to prioritize response.
How We Track This
Our data combines public sources like OSV and GHSA with proprietary detection through our AI-powered malware detection engine, our internal tooling that analyzes packages for suspicious behaviour patterns. Every package it flags undergoes human review before classification. The goal is signal over noise, actionable intelligence rather than alert fatigue.
Looking Ahead
The supply chain threat isn't slowing down. With over 3,000 malicious packages in a single month, the scale demands automated detection paired with expert analysis. We're watching for continued abuse of AI-themed package names, packages targeting web3 and crypto developers, expansion into adjacent ecosystems, and increasingly sophisticated obfuscation techniques.
How Can Safety Help Protect You?
Traditional vulnerability scanning tools aren't designed to catch this kind of threat. Even if you're running a quality EDR, standard SCA tools or an anti-virus product, packages like the ones we identified in December can slip through.
At Safety, we've already caught thousands of suspicious open source packages before they could compromise developer environments. The Safety Firewall protects developers and CI pipelines proactively; every package installation request is analyzed before reaching public repositories. Malicious, vulnerable, and policy-violating packages are automatically blocked before they can enter your systems. Prevention, not just detection.
Interested in trying Safety Firewall? Request a demo or start a free trial at getsafety.com.
Feel free to reach out with any questions!
