RL’s fourth annual Software Supply Chain Security Report brings together and analyzes public reports and data with non-public, anonymized data compiled by RL analysts and powered by Spectra Core, the world’s fastest and most comprehensive software platform for automated static decomposition and analysis of binary files.
CVE and Vulnerability Data
Among the data that contributed to this year’s report is vulnerability data, such as registered CVEs, gathered from public and private sources, including the OSV vulnerability library. Vulnerability data was broken down according to the corresponding open-source repository (npm, PyPI, RubyGems, and NuGet). Data was also sorted by the severity of the CVSS score, the year, and so on.
Security Policies
As part of its research on open-source platforms, RL downloaded and processed software packages from the repositories previously listed, analyzing them for violations of one of the scores of information security policies that RL monitors. That dataset included all versions of all the packages available in 2025, not just what was newly published in the last year. Developers can (and do) download older versions of most packages and, therefore, they are affected by the security flaws they might contain. In addition, RL’s total package count includes any package versions that RL researchers have a record of from the repository in question, even if the packages are no longer available (deleted or removed from the repository).
OpenSSF Malicious Packages Repository Ratings
RL’s binary scanning capabilities have enabled us to become a leading contributor to the Open Source Security Foundation (OpenSSF) Malicious Packages Repository, which is a public repository containing reports of malicious packages identified in open-source package repositories.
Launched in 2023, the OpenSSF Malicious Packages Repository is a collective effort to identify, flag, and remove malicious packages that are lurking on open-source package repositories and that have been linked to a number of sophisticated supply chain attacks traced to both cybercriminal and nation-state actors. Doing so prevents the packages from becoming dependencies of legitimate code or applications.
A wide range of companies contribute to the OpenSSF’s Malicious Package Repository, including RL. As part of their work, contributing firms download, install, and execute packages from popular open-source package repositories such as npm and PyPI as they are published. Behaviors such as executed commands and network traffic are observed and compared to a set of known heuristics (patterns) exhibited by malicious packages. Those packages that have suspicious or malicious behavior detected are published to the new Malicious Packages Repository.
In 2025, RL received more than 4,000 OpenSSF credits for its contributions to the repository, making RL one of the top contributors to the repository, alongside Amazon and OpenSSF.
Malicious Package Statistics
When tallying the number of malicious packages, RL package count numbers are deduplicated. A counted package correlates with a unique package name rather than each version of that package. In other words: A malicious package, as far as this report is concerned, is any open-source package that has at least one version that violates a security policy. For example, if an npm package lists 25 different versions going back five years and three of those package versions violate one or more security policies, RL counts the violation once — package X violated a security policy — not three times. Finally, malicious packages are grouped based on the creation timestamp of the malicious version, not when the malware or tampering was first detected, since the creation timestamp gives a more accurate picture when the actual problem or threat first appeared.
Outside of the data RL compiled from its own scans and research, this report also references the work and findings of other cybersecurity industry players to identify trends, with RL correlating, confirming, and (sometimes) overriding the findings of competing firms.