Upstream Supply Chain Attacks Triple in a Year

Cybersecurity firm Sonatype has recorded a threefold increase in malicious packages in open source ecosystems in 2023, and twice as many software supply chain attacks compared to the 2019-2022 period. Sonatype’s report also noted most downloads were of outdated versions, and 23% were of critically vulnerable software from Log4j, posing added cyber risks. The company argued developers, rather than open source maintainers, need to be more risk-aware and should only download components from secure sources.