A Decade of Evolution, Innovation, and Growing Risks

As we mark the 10th annual State of the Software Supply Chain report, the transformation of open source software has been nothing short of profound. Open source consumption has exploded, with estimates placing this year’s downloads at over 6.6 trillion. This reliance on open source components, now making up to 90% of the modern software application, has ushered in both unprecedented innovation and complex challenges for software supply chains. Because of this, the industry has also become increasingly regulated, moving from a hands-off approach in the early 2010s to proactive frameworks that address growing cybersecurity risks in the global software supply chain.

This year’s report, backed by data from over 7 million open source projects, double-clicks on many of the unsettling trends in security and risk management we’ve been following in the past 10 reports. Notably, the rise of open source malware and software supply chain attacks has become a critical threat. Examples such as the LUMMA malware found in PyPi and the XZ Utilis package backdoor highlight the growing sophistication of these attacks, which often bypass traditional security measures, leaving organizations vulnerable. In fact, the number of malicious packages has grown by 156% year-over-year, posing a significant risk to enterprises that fail to manage their OSS dependencies effectively.

Here’s what else we found.

Open Source Scale and Consumption Behaviors

Open source software adoption is at a multitrillion request scale, with ecosystems like JavaScript (npm) and Python (PyPI) leading the charge:

JavaScript (npm) accounted for a staggering 4.5 trillion requests in 2024, representing 70% year-over-year growth in requests.
Python (PyPI), driven by AI and cloud adoption, is estimated to reach 530 billion package requests by the end of 2024, up 87% year-over-year.

But this growth brings new risks. A rise in open source malware has infiltrated open source ecosystems at an alarming rate. Over 512,847 malicious packages have been logged just in the past year, a 156% increase year-over-year, highlighting a critical need for organizations to adapt their consumption practices. Traditional security tools often fail to detect these novel attacks, leaving developers and automated build environments highly vulnerable. This has resulted in a new wave of next-generation supply chain attacks, which target developers directly, bypassing existing defenses.

Further, each ecosystem presents different challenges. For instance, npm has experienced much of its growth from spam; Python is the fastest-growing in projects and volume, and shows more vulnerabilities per package compared to others; and Java (Maven) has an average of 28 versions per project.

Read more in our chapter on Open Source Scale.

Open Source Scale and Consumption Behaviors by the Numbers

512,847

Malicious packages discovered since Nov. 2023

156%

YoY growth of malicious packages

4.5Trillion

JavaScript (npm) requests, 70% YoY growth

530Billion

Python (PyPI) package requests, 80% YoY increase largely driven by AI & cloud

Persistent Risk and Consumer Complacency

In parallel, organizations continue to struggle with efficient risk mitigation. This is why this year, we introduce the concept of “Persistent Risk,” a combination of unfixed and corrosive vulnerabilities that continues to erode the security integrity of software over time. A prime example of this is Log4j, where 13% of downloads remain vulnerable three years after the Log4Shell vulnerability was exposed. While we’re extremely focused on this rise in contaminated open source projects, or malware, the reality is all open source or commercial software will eventually have bugs that evolve into vulnerabilities; they age more like steel, not aluminum, becoming rusty after extensive corrosion.

The prevalence of such risks underscores the complacency that still defines much of the industry’s approach to open source consumption.

80% of application dependencies remain un-upgraded for over a year, even though 95% of these vulnerable versions have safer alternatives readily available. It’s not a matter of ‘if’ a breach will occur, but ‘when.’
Only 0.5% of OSS components have no available update (No Path Forward), meaning that nearly all risk is preventable if organizations take proactive steps to update their dependencies.
Even when updates are applied, 3.6% of dependencies are still vulnerable because they were updated to another insecure version.
Our analysis of over 20,000 enterprise applications shows that reliance on EOL (end-of-life) components, which no longer receive updates, leads to the gradual breakdown of software integrity, strongly indicating increased security vulnerabilities.
Looking at discoverability revealed that, despite over seven million open source components, only 10.5% (about 762,000) are actively used. This disparity highlights the noise developers face when selecting components.

Persistent Risk and Consumer Complacency by the Numbers

13%

Log4j downloads remain vulnerable 3 years after Log4shell exposure

Only.5%

OSS componenets have no available update
NEARLY ALL RISK IS PREVENTABLE

80%

application dependencies remain un-upgraded for over a year

3.6%

dependencies are upgraded to another insecure version, so are still vulnerable

Despite advances in supply chain security practices, consumer behavior lags, illustrating a critical failure in consumption practices. To address these issues, organizations must embrace best practices like proactive dependency management, choosing high-quality components, and avoiding malware risks.

To better understand how to actually choose high-quality components, we took a look at key heuristics — which include active community engagement, projects publishing Software Bills of Materials (SBOMs), and support from recognized foundations. We notably found that projects backed by recognized foundations have better security practices and reduced vulnerabilities.

Efficiency and Waste: The Time Drain on Developers

Efficiency in the development process is also at risk. Managing open source risks requires optimizing security policies and practices to keep up with the fast-paced evolution of new OSS libraries. Organizations struggle with the impracticality of slowing down DevOps processes for manual vulnerability reviews, leading to frustration among developers. Enterprises must aim to reduce waste by optimizing their remediation effort with the best possible software composition analysis tool.

Through our analysis, we know:

Size of application does not matter — with the average applications containing 180 components, even small applications face unmanageable workloads due to increasing dependencies.
Quality data does matter. 92% of crowdsourced or publicly available vulnerability data needed a correction once reviewed in more detail by a security researcher; 69% of vulnerabilities that were initially scored below 7 on the CVSS scale were corrected to 7 or higher, creating what we’re calling surprise risk and a false sense of comfort.
Efficiency isn’t just about security, but about licenses: while an open source project typically has an overarching license, individual files may have different licenses as contributions grow, potentially impacting the project downstream.

The current reactive approach to vulnerabilities and license reviews wastes developer time, leading to inefficiency and higher costs. To combat this, enterprises need effective software composition analysis tools that provide high-quality component intelligence and integrate seamlessly into the development process.

Efficiency and Waste by the Numbers

92%

crowdsourced or publicly available data needed a correction once reviewed by a security researcher

Only10.5%

of open source components are actively used out of over 7 million available

180

average number of components per application
EVEN SMALL APPLICATIONS FACE UNMANAGEABLE WORKLOADS

69%

vulnerabilities initially scored below 7 were corrected to 7 or higher on the CVSS scale upon closer review

A Call to Action and Vigilance: Proactive Management, Continuous Security, and Advanced Tooling

As attackers evolve their strategies to target the very foundation of software supply chains, the responsibility falls on software manufacturers, consumers, and regulators to adopt robust security practices. We can stop the bleeding and mitigate these mounting risks with proactive dependency management, advanced tooling, and earlier security intervention.

Always-on security practices, when tools like Software Composition Analysis (SCA) are integrated directly into CI/CD pipelines, and throughout the development process — this can reduce wasted developer time and provide context for informed decision-making and get ahead of this risk.
Reducing persistent risk is possible by focusing on tools that help manage dependencies and apply realtime vulnerability detection. In fact, we found that projects using a Software Bill of Materials (SBOM) to manage OSS dependencies showed a 264-day reduction in mean time to remediate (MTTR) compared to those that did not.

By embedding these practices early and managing OSS consumption more rigorously, organizations can cut down on risks before they grow corrosive and costly. Organizations must prioritize an advanced SCA tool that helps by selecting high-quality, well-maintained components, addressing risks as early as possible, and remaining vigilant against the evolving landscape of supply chain attacks. This proactive approach not only reduces developer frustration but also cuts down on wasted resources. Failure to do so leaves software ecosystems open to catastrophic breaches and operational inefficiencies.

The balance between innovation and security is more critical than ever. Open source ecosystems will continue to fuel technological breakthroughs, but organizations must evolve their security practices to avoid becoming victims of their own success. By addressing complacency, adopting robust tooling, and staying vigilant, software manufacturers can mitigate the persistent risks that threaten the future of innovation.

About the Analysis

Sonatype’s 10th Annual State of the Software Supply Chain report blends a broad set of public and proprietary data and analysis, including dependency update patterns for more than 1.5 trillion requests from Maven Central and thousands of open source projects, and the assessment of hundreds of thousands of key enterprise applications. This year’s report also analyzed operational supply, demand and security trends associated with the Java (Maven Central), JavaScript (npm), Python (PyPI), and .NET (NuGet) ecosystems. Special analysis was included thanks to the CHAOSS Community and their CHAOSS Community Report, as well as Tidelift and their survey of more than 400 open source maintainers as source for The 2024 Tidelift State of the Open Source Maintainer Report. The authors have taken great care to present statistically significant sample sizes with regard to component versions, downloads, vulnerability counts, and other data surfaced in this year’s report.