Open Source Malware Soars By 156%

Sonatype announced on Thursday its 10th Annual State of the Software Supply Chain Report, revealing a staggering 156% increase in open source malware in the past year, alongside a record 6.6 trillion downloads of open source software.

The findings underscore the growing risks associated with software supply chains, which are becoming increasingly vulnerable as open source consumption accelerates.

The report, grounded in data from over 7 million open source projects, highlights a remarkable 80% increase in Python package requests and a 70% rise in JavaScript downloads, indicating a significant surge in software consumption.

However, this surge is accompanied by a troubling proliferation of malicious packages, with 704,102 identified since 2019. Notably, several critical vulnerabilities took over 500 days to remediate in 2024, revealing the backlog facing maintainers.

Consumer complacency exacerbates this issue; despite 99% of packages having updated versions available, 80% of application dependencies remain un-upgraded for over a year. Alarmingly, when vulnerable components are identified, 95% of the time, a fixed version already exists.

To combat these growing threats, Sonatype advocates for increased investment in open source projects.

The report reveals that open source projects with paid support are nearly three times more likely to have comprehensive security policies in place. Moreover, components with paid support resolve outstanding vulnerabilities up to 45% faster and generally have half the vulnerabilities overall.

The report also points to emerging regulations, such as the Network and Information Systems Directive (NIS2) in the EU, which are promoting Software Bill of Materials (SBOM) adoption.

“Over the last decade, we’ve seen software supply chain attacks increase in sophistication and frequency, particularly with the rise of open source malware,” said Brian Fox, CTO and Co-Founder at Sonatype.

“In order to ensure a vibrant and secure open source ecosystem for the decade ahead, we must build a foundation of proactive security with vigilance against open source malware, decreased consumer complacency, and comprehensive dependency management,” he added.

These challenges in the software supply chain reflect a broader trend in the cybersecurity landscape. A new report highlights that 66% of cybersecurity professionals find their roles more stressful than five years ago, largely due to an increasingly complex threat landscape, low budgets, and insufficiently trained staff.