Webinar: Inside the 2026 SSCS Report_LP Background

Our Methodology

RL’s fourth annual Software Supply Chain Security Report brings together and analyzes public reports and data with non-public, anonymized data compiled by RL analysts and powered by Spectra Core, the world’s fastest and most comprehensive software platform for automated static decomposition and analysis of binary files.

 
CVE and Vulnerability Data



Among the data that contributed to this year’s report is vulnerability data, such as registered CVEs, gathered from public and private sources, including the OSV vulnerability library. Vulnerability data was broken down according to the corresponding open-source repository (npm, PyPI, RubyGems, and NuGet). Data was also sorted by the severity of the CVSS score, the year, and so on.


Security Policies



As part of its research on open-source platforms, RL downloaded and processed software packages from the repositories previously listed, analyzing them for violations of one of the scores of information security policies that RL monitors. That dataset included all versions of all the packages available in 2025, not just what was newly published in the last year. Developers can (and do) download older versions of most packages and, therefore, they are affected by the security flaws they might contain. In addition, RL’s total package count includes any package versions that RL researchers have a record of from the repository in question, even if the packages are no longer available (deleted or removed from the repository).


OpenSSF Malicious Packages Repository Ratings



RL’s binary scanning capabilities have enabled us to become a leading contributor to the Open Source Security Foundation (OpenSSF) Malicious Packages Repository, which is a public repository containing reports of malicious packages identified in open-source package repositories.

Launched in 2023, the OpenSSF Malicious Packages Repository is a collective effort to identify, flag, and remove malicious packages that are lurking on open-source package repositories and that have been linked to a number of sophisticated supply chain attacks traced to both cybercriminal and nation-state actors. Doing so prevents the packages from becoming dependencies of legitimate code or applications.

A wide range of companies contribute to the OpenSSF’s Malicious Package Repository, including RL. As part of their work, contributing firms download, install, and execute packages from popular open-source package repositories such as npm and PyPI as they are published. Behaviors such as executed commands and network traffic are observed and compared to a set of known heuristics (patterns) exhibited by malicious packages. Those packages that have suspicious or malicious behavior detected are published to the new Malicious Packages Repository.In 2025, RL received more than 4,000 OpenSSF credits for its contributions to the repository, making RL one of the top contributors to the repository, alongside Amazon and OpenSSF.




Malicious Package Statistics



When tallying the number of malicious packages, RL package count numbers are deduplicated. A counted package correlates with a unique package name rather than each version of that package. In other words: A malicious package, as far as this report is concerned, is any open-source package that has at least one version that violates a security policy. For example, if an npm package lists 25 different versions going back five years and three of those package versions violate one or more security policies, RL counts the violation once — package X violated a security policy — not three times. Finally, malicious packages are grouped based on the creation timestamp of the malicious version, not when the malware or tampering was first detected, since the creation timestamp gives a more accurate picture when the actual problem or threat first appeared.

Outside of the data RL compiled from its own scans and research, this report also references the work and findings of other cybersecurity industry players to identify trends, with RL correlating, confirming, and (sometimes) overriding the findings of competing firms.

Spectra Assure Free Trial

Get your 14-day free trial of Spectra Assure for Software Supply Chain Security

Get Free TrialMore about Spectra Assure Free Trial
Blog
Events
About Us
Webinars
In the News
Careers
Demo Videos
Cybersecurity Glossary
Contact Us
reversinglabsReversingLabs: Home
Privacy PolicyCookiesImpressum
All rights reserved ReversingLabs © 2026
XX / TwitterLinkedInLinkedInFacebookFacebookInstagramInstagramYouTubeYouTubeblueskyBlueskyRSSRSS
Back to Top
ReversingLabs: The More Powerful, Cost-Effective Alternative to VirusTotalSee Why
Skip to main content
Contact UsSupportLoginBlogCommunity
reversinglabs
ReversingLabs: Home
Solutions
Secure Software OnboardingSecure Build & ReleaseProtect Virtual MachinesIntegrate Safe Open SourceGo Beyond the SBOM
Increase Email Threat ResilienceDetect Malware in File Shares & StorageAdvanced Malware Analysis SuiteICAP Enabled Solutions
Scalable File AnalysisHigh-Fidelity Threat IntelligenceCurated Ransomware FeedAutomate Malware Analysis Workflows
Products & Technology
Spectra Assure®Software Supply Chain SecuritySpectra DetectHigh-Speed, High-Volume, Large File AnalysisSpectra AnalyzeIn-Depth Malware Analysis & Hunting for the SOCSpectra IntelligenceAuthoritative Reputation Data & Intelligence
Spectra CoreIntegrations
Industry
Energy & UtilitiesFinanceHealthcareHigh TechPublic Sector
Partners
Become a PartnerValue-Added PartnersTechnology PartnersMarketplacesOEM Partners
Alliances
Resources
BlogContent LibraryCybersecurity GlossaryConversingLabs PodcastEvents & WebinarsLearning with ReversingLabsWeekly Insights Newsletter
Customer StoriesDemo VideosDocumentationOpenSource YARA Rules
Company
About UsLeadershipCareersSeries B Investment
EventsRL at RSAC
Press ReleasesIn the News
Pricing
Software Supply Chain SecurityMalware Analysis and Threat Hunting
Request a demo
Menu