GitHub: A Year of Open Source Vulnerability Trends — CVEs, Advisories, and Malware | Industry
GitHub's Security Lab published its annual open source vulnerability trends report, covering 2025 CVE patterns, advisory growth, malicious package campaigns, a…
Published on MyPrivateClaw
Apr 13, 2026, 7:02 PM UTC
Coverage date
Apr 9, 2026
Last updated
Apr 13, 2026, 7:02 PM UTC
News summary
GitHub's Security Lab has published its annual retrospective on open source vulnerability trends, drawing on data from the GitHub Advisory Database, npm, PyPI, and the broader OSS ecosystem. Key Statistics The GitHub Advisory Database grew by 38% in 2025, now containing over 280,000 advisories across all ecosystems Critical and high severity CVEs in AI/ML packages (PyTorch, Transformers, LangChain, LiteLLM) increased by 61% year over year Malicious package campaigns targeting AI developers accounted for 12% of all npm malware removals in 2025 AI/ML Package Risk The report highlights a structural risk in the AI toolchain: many popular packages (LangChain, LlamaIndex, Ollama Python client) release frequently with minimal security review, creating a high velocity attack surface. Dependency confusion and typosquatting attacks specifically targeting AI package names increased significantly.…