The widespread adoption of open source software (OSS) is fueling a parallel surge in open source security threats, Sonatype reveals in its latest report. The company’s 10th Annual State of the Software Supply Chain highlights a 156% increase in discovered malicious OSS packages.
Since 2019, more than 704,102 malicious packages have been identified, with 73% of these—totaling 512,847—being uncovered after November 2023 alone.
Sonatype’s report also emphasizes the unprecedented scale of open source consumption in 2024, estimating 6.6 trillion downloads. JavaScript (npm) dominates the landscape with 4.5 trillion requests, marking a 70% year-over-year growth, followed by Python (PyPI), which is expected to reach 530 billion requests by year’s end—a rise of 87%.
Although newer versions of packages are available in over 99% of cases, an alarming 80% of application dependencies remain un-upgraded for over a year. Furthermore, in 95% of cases involving vulnerable components, safer versions already exist.
The report flags persistent risks, notably with Log4j : three years after Log4Shell came to light, 13% of downloads remain vulnerable. Additionally, vulnerabilities take longer to address—some exceeding 500 days—highlighting a glaring gap in publishers’ ability to keep pace with CVE remediation .
From 2013-2023, the number of CVEs skyrocketed by 463%.
Sonatype calls for robust security protocols across the board, from software manufacturers to regulators, emphasizing that companies must prioritize both innovation and security.
“In the past decade, software supply chain attacks have grown in sophistication and frequency, especially in the realm of open source malware,” said Brian Fox, CTO and Co-Founder of Sonatype. “To safeguard a secure open source ecosystem over the coming years, we must focus on proactive security practices, better dependency management, and a heightened focus on open source malware.”
However, the regulatory landscape is evolving. Initiatives such as the EU’s NIS2 Directive , set to take effect in October 2024, and new policies coming from India and Australia are pushing for stronger standards, including the increased adoption of software bill of materials (SBOM). Over 60,000 SBOMs have been published in the past year.
Data in the Sonatype report is based on analysis from more than seven million open source projects.