Open Source Software Supply Chain Attacks On the Rise

Open source software has experienced remarkable growth in recent years. According to Sonatype’s 9th annual State of the Software Supply Chain report, in fact, the ecosystem studied by the report showed a 29 percent project growth rate year-over-year. 

The most recent findings, however, also show a decrease in consumption along with an increase in software supply chain attacks. “Over the past two years, the rate of download growth has been progressively declining. In 2023, the average growth rate stands at 33 percent, a substantial decrease from the remarkable 73 percent year-over-year growth in 2021,” says Aaron Linskens.

Version Control

In this article, we’ll look at highlights from the report, with a focus on security aspects. For example, the report states that:

  • Twice as many software supply chain attacks occurred in 2023 as in 2019-2022 combined.
  • One in eight open source downloads today pose known and avoidable risks.
  • Nearly all (96%) vulnerabilities are avoidable. 
  • Only 11 percent of open source projects are “actively maintained.”

I think that third point bears repeating: 96 percent of known vulnerabilities downloaded from Maven Central have a non-vulnerable version available.

Specifically, the report says “2.1 billion OSS downloads with known vulnerabilities in 2023 could have been avoided because a better, fixed version was available — the exact same percentage as in 2022. For every suboptimal component upgrade made, there are typically 10 superior versions available.”

Legacy of Log4Shell

The Log4Shell vulnerability, which has topped CISA/NSA charts for active exploits for more than a year now, provides a stark example. “As of September 2023, downloads vulnerable to the infamous Log4Shell vulnerability still account for nearly a quarter of all net new downloads of Log4j,” the report says. “It should be highlighted, that almost two years after the initial finding of this vulnerability, we’re seeing this pace continue every week as a quarter of all downloads are of the vulnerable version of Log4j.”

These statistics are cause for concern as known vulnerabilities are increasingly exploited. A joint advisory issued by global cybersecurity agencies, for example, states that most of the vulnerabilities routinely exploited last year were disclosed in 2021 or earlier. “Developing exploits for critical, widespread, and publicly known vulnerabilities gives actors low-cost, high-impact tools they can use for several years,” the advisory says.

As the report notes, this trend “illustrates a clear need for organizations to pay closer attention to what versions they are adopting” and calls for behavioral changes and accountability within organizations. As the OpenSSF’s Open Source Consumption Manifesto states, “We are responsible for the open source we use, how we consume it, and how we manage the risk associated with that consumption.”


Along with the increase in software supply chain attacks, however, the report notes a “disconnect between perceived security and reality in software development.” Namely:

  • Organizations think they have their software supply chains under control: 67 percent of respondents feel confident that their applications do not rely on known vulnerable libraries. Yet nearly 10 percent of respondents reported their organizations had security breaches due to open source vulnerabilities in the last 12 months.
  • Awareness and mitigation of open source vulnerabilities lacks urgency in many organizations: The report found that 39 percent of organizations discover vulnerabilities within one to seven days; 29 percent take over a week to become aware and 28 percent discover within one day; When it comes to mitigation, 36.2 percent of respondents require over a week to mitigate vulnerabilities. 

Overall, organizations face multiple challenges in addressing these concerns. “Impactful change necessitates clear direction,” notes Brian Fox, CTO at Sonatype. 

“The fact that there’s been a fix for almost all downloads of components with a known vulnerability tells us an immediate focus should be supporting developers on becoming better decision-makers, and giving them access to the right tools. The goal is to help developers be more intentional about downloading open source software from projects with the most maintainers and the healthiest ecosystem of contributors," Fox says.

Read the complete report to learn more.

FOSSlife Newsetter