There is some good news when it comes to the security of open-source software (OSS): Incidents of malware lurking on OSS repositories dropped dramatically in 2024, data from the RL research team shows. Despite that, software supply chain risks coming from OSS grew last year — with a range of other threats and attacks putting software development organizations and their customers in the crosshairs of cybercriminal groups and nation-backed hackers.
Introduction to Malware Binary Triage (IMBT) Course
Looking to level up your skills? Get 10% off using coupon code: MWNEWS10 for any flavor.
Enroll Now and Save 10%: Coupon Code MWNEWS10
Note: Affiliate link – your enrollment helps support this platform at no extra cost to you.
That’s one of the key discoveries in RL’s "2025 Software Supply Chain Security Report," which found that attacks targeting OSS packages and the development organizations that rely on them were common in the past year, despite efforts to improve the security of popular package managers.
Here's what your organization needs to know about the changing face of OSS risk.
[ Download Today: 2025 Software Supply Chain Security Report | Join the SSCS Report Webinar ]
The weakest link: Volunteer labor at OSS repos
The incidents highlighted in RL’s third-annual report include the sophisticated, years-long campaign to infiltrate the XZ Utils open source project, which was first reported in March of last year. That saw a malicious actor using the handle “Jia Tan” (JiaT75) elevated to a package maintainer for the XZ Utils project, only to inject malicious code into two versions of the widely used XZ Utils compression library. The code allowed attackers with a private key to gain access to affected Linux systems.
That attack played on a long-recognized weakness in open source: its reliance on unpaid, volunteer labor to contribute and then manage popular open source code modules that sport hundreds or even thousands of dependent applications. In the case of XZ Utils, malicious actors leaned in on Lasse Collin, the longtime maintainer of XZ Utils, with “Jia Tan” gaining his trust through a series of legitimate code contributions, while a chorus of “sock puppet” developer accounts raised complaints about XZ Utils, and hounded Collin to do more to updates to the project.
Bad actors exploit OSS infrastructure
Beyond targeting maintainers, cybercriminals are now leveraging flaws in open-source package managers.
- Ultralytics attack: In December, attackers used a GitHub Actions script-injection flaw to breach the Ultralytics AI library’s build environment, steal API tokens, and implant malicious code.
- SSH key theft at npm: In January 2024, researchers found npm packages (warbeast2000, kodiak2k) stealing SSH keys from developer systems and storing them on GitHub.
A glimmer of hope: less malware
All this malicious activity comes amidst a notable drop in instances of malicious code on open source package managers.
Data from RL’s Spectra Assure software supply chain security tool shows a steep decline in malicious packages detected on common OSS platforms, including:
- npm, PyPI, and RubyGems combined: Incidents of malicious packages being detected across the three main open-source repositories declined by 70% between 2023 and 2024.
- On the Python Package Index (PyPI), detections of malicious packages dropped by 87% in the first nine months of 2024, and 6,500 fewer malicious packages were detected on PyPI in 2024 than during the same period in 2023.
The drop follows years of rapidly increasing malware incidents on open source package managers. Between 2020 and 2023, RL researchers noted a 1,300 percent jump in instances of malicious code on OSS repos. In RL's 2024 report, researchers noted that growth slowed in 2023, then dropped dramatically. Much of this decline is attributed to improved OSS security measures, including:
- Mandatory two-factor authentication (2FA) in major OSS package managers strengthened access control.
- OpenSSF's Malicious Packages Repository, launched in 2023, has improved threat detection and coordination for OSS code.
Chronic OSS problems, chronic risks
So how is it that OSS risk continues to grow? A variety of OSS security failings are now fueling malicious campaigns. Those include endemic problems such as leaked developer secrets, which expose sensitive credentials, as well as application programming interface (API) tokens and other information to would-be attackers. RL researchers noted a 12% increase in secret leaks in 2024, even as the number of malware incidents dropped. Leaks allow bad actors to carry out attacks later on downstream organizations.
And then there's the chronic insecurity of OSS code. For its 2025 Software Supply Chain Security Report, RL researchers scanned the top 30 OSS packages from the repositories npm, PyPI and RubyGems, to get a sense of the overall quality of these highly trafficked packages. The findings were sobering, including:
- Now more malicious, an average of 68 vulnerabilities across the 30 packages RL scanned contained an average of six critical-severity, and 33 high-severity vulnerabilities per package.
- “Code rot” — a reliance on old, unmanaged and out of date code — runs rampant. Widely- used OSS packages with thousands of weekly downloads have gone years without an update, and are full of exploitable vulnerabilities.
Even actively managed OSS projects routinely contain “code rot.” For example, in RL's 2025 report, researchers analyzed Torchvision, a Python package with 3.4 million weekly downloads — and 10 package updates in the last year. RL identified 45 vulnerabilities in the latest, scanned version of the package, four dating back more than six years. The vulnerabilities also include eight with a “critical” severity rating, and 24 with a “high” severity rating. One is considered “patch mandated” — and is being actively exploited by malware.
Popularity does not equal security
The message for software publishers and their customers is clear: When it comes to using open source software, don’t equate popularity and downloads with security and code quality. Open source projects — like their closed source counterparts — regularly turn a blind eye to security issues in their rush to push out new features.
With Torchvision, for example, the level of total, critical and high vulnerabilities stayed more or less constant across the 10 most recent software releases. Our analysis found many other popular packages on major open source repositories contain similar collections of critical and exploitable holes as well as other security risks.
Knowing about these in advance can empower your development organization’s decision about which OSS packages to incorporate into your applications, and enable you to mitigate security risks before malicious attackers discover and exploit them. That makes it critical to have the tools needed to peer into and assess the OSS and commercial, third-party software you produce and consume.
Get a deeper understanding of OSS risk — and how to properly manage it — with RL’s 2025 Software Supply Chain Security Report.
Article Link: Less malware, more risk: The changing face of open-source security