top of page

Software supply chain attacks increase 742% in three years

A recent study by Sonatype, a software supply chain management platform, has reported a huge increase in supply chain attacks as part of their eighth annual State of the Software Supply Chain report.

The report also uncovered 88,000 potentially malicious files available to organisations.

Free and/or open-source software downloads have shown a huge increase as organisations and software developers alike look to reduce the time between new software being created and becoming usable.

The firm stated that they expect the number of requests for open-source software to exceed three trillion before the end of 2022.

The significant increase in the use of open-source software means the number of threats and vulnerabilities amongst the safe sources can be missed by developers, according to Sonatype.

As an example, the report explained that Java applications often carry up to 10 updates per year and on average contain 148 dependencies (an increase of 20 in 2021), this means that developers must track nearly 1500 changes each year.

The report also highlighted the issue that 96% of java open-source downloads that contained a known vulnerability could have been avoided by way of an alternative download. These alternative options were equally available, but for unknown reasons were overlooked in favour of those containing vulnerabilities.

The report shows researchers have uncovered 88,000 malicious open-source packages already in 2022 and this equates to the staggering 742% increase over the number recorded for 2019.

In terms of organisations carrying out due diligence regarding the downloading of open-source software packages onto their IT estates, the report also found that whilst 68% of respondents to their survey were confident that they were not utilising vulnerable libraries, a random sample of such applications found that the same number (68%) were in fact found to contain known vulnerabilities.

Whilst Software as a Service and the availability of open-source software can potentially create swifter working practices and improved services for personnel to process their day-to-day tasks, it should be borne in mind the potential vulnerabilities that may lurk inside such software.

Organisations are encouraged to carry out effective due diligence if considering open-source software packages, particularly if organisational networks are connected to such packages.



Report all Fraud and Cybercrime to Action Fraud by calling 0300 123 2040 or online. Forward suspicious emails to Report SMS scams by forwarding the original message to 7726 (spells SPAM on the keypad).



The contents of blog posts on this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of East Midlands Cyber Resilience Centre (EMCRC) is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others. Articles on the website cannot by their nature be comprehensive and may not reflect most recent legislation, practice, or application to your circumstances. EMCRC provides affordable services and Trusted Partners if you need specific support. For specific questions please contact us by email.


EMCRC does not accept any responsibility for any loss which may arise from reliance on information or materials published on this blog. EMCRC is not responsible for the content of external internet sites that link to this site or which are linked from it.

bottom of page