TL;DR At the end of Q2 2026, Sonatype Research reached 1.8 million malicious packages logged. In Q2, npm accounted for 96.6% ...