Spectra Assure Free Trial
Get your 14-day free trial of Spectra Assure
Get Free TrialMore about Spectra Assure Free TrialThe ReversingLabs research team found some good news when it comes to the security of open-source software (OSS): Incidents of malware lurking on OSS repositories dropped dramatically in 2024, data from RL’s "2025 Software Supply Chain Security Report" shows. But there's bad news too. Despite the decline in malware, software supply chain risks coming from OSS grew last year.
The third annual report found that attacks targeting OSS packages and the development organizations that rely on them were common in the past year, despite efforts to improve the security of popular package managers.
Here's what your organization needs to know about the changing face of OSS risk.
Download: 2025 Software Supply Chain Security ReportSee the SSCS Report Webinar
The incidents highlighted in RL’s report include the sophisticated, years-long campaign to infiltrate the XZ Utils open-source project, which was first reported in March of last year. The campaign culminated in a malicious actor who was using the handle “Jia Tan” (JiaT75) being elevated to package maintainer for the XZ Utils project and then injecting malicious code into two versions of the widely used XZ Utils compression library. The code allowed attackers with a private key to gain access to affected Linux systems.
That attack played on a long-recognized weakness in OSS: its reliance on unpaid, volunteer labor to contribute to the code and even manage what are often popular code modules that sport hundreds or even thousands of dependent applications. In the case of XZ Utils, malicious actors targeted Lasse Collin, the longtime maintainer of XZ Utils, with “Jia Tan” gaining his trust through a series of legitimate code contributions and a chorus of “sock puppet” developer accounts raising complaints about XZ Utils and hounding Collin to do more to update the project.
Targeted, hands-on attacks on overworked OSS maintainers weren’t the only threat facing open source projects and the software developers and producers that rely on them. In the past year, malicious actors leveraged flaws in OSS package managers to further their goals, including:
All this malicious activity comes amid a notable drop in instances of malicious code on open-source package managers. Data from RL’s Spectra Assure software supply chain security tool shows a steep decline in malicious packages detected on common OSS platforms, including:
The drop follows years of rapidly increasing malware incidents on open-source package managers. Between 2020 and 2023, RL researchers noted a 1,300% jump in instances of malicious code on OSS repos. In RL's 2024 report, researchers noted that growth slowed in 2023 and then dropped dramatically. Much of this decline is attributed to improved OSS security measures, including:
So how is it that OSS risk continues to grow? A variety of OSS security failings are now fueling malicious campaigns. Those include endemic problems such as leaked developer secrets, which expose sensitive credentials, API tokens, and other information. RL researchers noted a 12% increase in secrets leaks in 2024, even as the number of malware incidents dropped. Such leaks can allow bad actors to carry out attacks on downstream organizations.
Then there's the chronic insecurity of OSS code. For its 2025 Software Supply Chain Security Report, RL researchers scanned the top 30 OSS packages from the repositories npm, PyPI, and RubyGems to get a sense of the overall quality of these high-traffic packages. The findings, including these, were sobering:
Even actively managed OSS projects routinely are afflicted with code rot. For example, in RL's 2025 report, researchers analyzed Torchvision, a Python package with 3.4 million weekly downloads — and 10 package updates in the last year. RL identified 45 vulnerabilities in the latest, scanned version of the package, four dating back more than six years. The vulnerabilities also include eight with a critical-severity rating and 24 with a high-severity rating. One is considered “patch-mandated” — and is being actively exploited by malware.
The message for software publishers and their customers is clear: When it comes to using OSS, don’t equate popularity and downloads with security and code quality. Open-source projects, like their closed-source counterparts, regularly turn a blind eye to security issues in their rush to push out new features.
With Torchvision, for example, the level of total-severity, critical-severity, and high-severity vulnerabilities stayed more or less constant across the 10 most recent software releases. Our analysis found that many other popular packages on major open-source repositories contain similar collections of critical and exploitable holes as well as other security risks.
Knowing about these in advance can empower your development organization’s decision about which OSS packages to incorporate into your applications and enable you to mitigate security risks before malicious attackers discover and exploit them. That makes it critical to have the tools needed to peer into and assess the OSS and commercial, third-party software you produce and consume.
Get a deeper understanding of OSS risk — and how to properly manage it — with RL’s 2025 Software Supply Chain Security Report.
Explore RL's Spectra suite: Spectra Assure for software supply chain security, Spectra Detect for scalable file analysis, Spectra Analyze for malware analysis and threat hunting, and Spectra Intelligence for reputation data and intelligence.
Get your 14-day free trial of Spectra Assure
Get Free TrialMore about Spectra Assure Free Trial