Skip Navigation

Sonatype’s 10th Annual State of the Software Supply Chain Report Reveals 156% Surge in Open Source Malware

   

A record-breaking year for open source consumption as downloads hit 6.6 trillion, amplifying software supply chain risk

Fulton, Md. – October 10, 2024Sonatype®, the end-to-end software supply chain security platform, today released its 10th Annual State of the Software Supply Chain® Report. Sonatype was first to define this market and consistently provides year-over-year analyses of open source consumption data. Sharing these unparalleled insights over the past decade has expedited innovation in software development, as well as propelled Sonatype’s success in bringing industry-first solutions to market.

Backed by data from over 7 million open source projects, this year’s report spotlights the growing threat of open source malware and software supply chain risk amid a record-breaking year for open source consumption, reaching an estimated 6.6 trillion downloads. Noteworthy findings from the report include: 

  • Consumption is exploding: Python (PyPI) saw an 80% increase in consumption compared to last year, reaching more than 530 trillion package requests, while JavaScript (npm) downloads increased by 70%, with 4.5 trillion package requests.

  • Open source malware is proliferating: Sonatype observed a 156% increase in the number of malicious packages year-over-year, reaching more than 704,102 identified since 2019.

  • Publishers can’t keep up with CVE remediation: As CVEs continue to rise exponentially, several critical vulnerabilities in 2024 took over 500 days to fix, indicating that maintainers are struggling to cope with the backlog of vulnerabilities.

  • Consumer complacency is fueling persistent risk: Despite more than 99% of packages having updated versions available, 80% of application dependencies remain un-upgraded for over a year. On top of that, 95% of the time, when vulnerable components are consumed, a fixed version already exists.

  • Supporting the community bolsters software supply chain security: Open Source projects with paid support are nearly three times more likely to have a comprehensive security policy. Additionally, components with paid support resolve outstanding vulnerabilities up to 45% faster and have half the vulnerabilities overall. 

  • Regulators are catching up: New policies are emerging, including The Network and Information Systems Directive (NIS2) going live this month in the European Union and forthcoming regulations surfacing in India and Australia. These policies are encouraging SBOM adoption, with more than 60,000 SBOMs published in the last year.

“Over the last decade, we’ve seen software supply chain attacks increase in sophistication and frequency, particularly with the rise of open source malware, while publishers and consumers have remained relatively stagnant when it comes to security,” said Brian Fox, CTO and Co-Founder at Sonatype. “In order to ensure a vibrant and secure open source ecosystem for the decade ahead, we must build a foundation of proactive security with vigilance against open source malware, decreased consumer complacency, and comprehensive dependency management.”

To read the full report, visit sonatype.com/state-of-the-software-supply-chain

You can also tune in to All Day DevOps for a keynote panel today, October 10 at 11:00 a.m. ET, on the state of the software supply chain, where Fox will be joined by Christopher Robinson, Chief Architect at Open Source Security Foundation; Jonathan Meadows, Citi Tech Fellow; and Georg Link, Open Source Strategist at Bitergia. To register for the keynote or view the talk on demand, visit https://www.alldaydevops.com/

 

About Sonatype 

Sonatype is the software supply chain security company. We provide the world’s best end-to-end software supply chain security solution, by combining the only proactive malicious protection against malicious open source, the only enterprise grade SBOM management and the leading open source dependency management platform. This empowers enterprises to create and maintain secure, quality, and innovative software at scale. As founders of Nexus Repository and stewards of Maven Central, the world’s largest repository of Java open-source software, we are software pioneers and our open source expertise is unmatched. We empower innovation with an unparalleled commitment to build faster, safer software and harness AI and data intelligence to mitigate risk, maximize efficiencies, and drive powerful software development. More than 2,000 organizations, including 70% of the Fortune 100 and 15 million software developers, rely on Sonatype to optimize their software supply chains. To learn more about Sonatype, please visit www.sonatype.com.

 

About the Analysis 

Sonatype’s 10th Annual State of the Software Supply Chain report blends a broad set of public and proprietary data and analysis, including dependency update patterns for more than 1.5 trillion requests from Maven Central and thousands of open source projects, and the assessment of hundreds of thousands key enterprise applications. This year’s report also analyzed operational supply, demand and security trends associated with the Java (Maven Central), JavaScript (npm), Python (PyPI), and .NET (NuGet) ecosystems. Special analysis was included thanks to the CHAOSS Community and their CHAOSS Community Report, as well as Tidelift and their survey of more than 400 open source maintainers as source for The 2024 Tidelift State of the Open Source Maintainer Report. The authors have taken great care to present statistically significant sample sizes with regard to component versions, downloads, vulnerability counts, and other data surfaced in this year’s report.