The growing sophistication of software supply chain attacks is driven by generalized defects in open-source and third-party commercial software, as well as malicious campaigns that specifically target AI and cryptocurrency development pipelines, according to a reverse report.
According to DESBABS inversion data, open source software has remained a key element in the risk chain risk in 2024. For example, incidents of development secrets exposed via accessible public packages, open source increased by 12% compared to 2023. And the defects of critical and usable software continued to hide in the most used open source packages. An analysis of 30 open source packages which represent more than 650 million total downloads on three main open source packages managed on average 6-Séverite critical and 33 high severity defects per package.
However, open source software is just a source of risk of software supply chain. An analysis by reversing the Leslabs of more than two dozen binaries of widely used commercial software, including commercial and open source operating systems, password managers, web browsers and virtual private network software (VPN), have found software risk proofs that look into third -party commercial binaries.
Many digitized packages have received a failing security note due to the discovery of exposed secrets, software vulnerabilities actively exploited, evidence of possible alteration of the code and an inadequate hardening of applications.
“The 2025 report highlights the challenges faced by software suppliers and their business buyers,” said Mario VuksanCEO of Reversinglabs. “The first is the growing sophistication of attackers and their desire to invest years to plan and carry out their attacks. Second is overcoming open source to target commercial software.
Gartner underlined this need for concentration, saying that “the security of the software supply chain is now as critical as the security of the software itself”.
Third -party sales software under attack
Although a large part of the conversation on the security of the software supply chain focuses on open source software packages, the most important risks reside in closed source software. To underline this problem, the inversions scanned 20 distinct versions of VPN customers of six leading sellers and found disturbing trends, in particular:
- Seven of the 20 VPN packages contained one or more mandated and / or exploited software vulnerabilities.
- Four of the 20 digitized VPN packages contained the secrets of exposed developers
Although significant risks are linked in third -party commercial software, open source software modules and code standards have always taken into account the vast majority of supply chain risks in 2024. Labs reversions have identified serious operating software defects, which present a significant risk.
Additional examples of open source risks include:
- The rampant analysis “Rot of code”: “Popular NPM, Pypi and Rubygems packages has revealed that many open source modules widely used contain open-source and old and obsolete third party modules.
- Overthrowlabs scan of an NPM package with nearly 3,000 weekly downloads and 16 dependent applications, identified:
- No code update in more than 7 years
- 164 Distinct vulnerabilities of the code with 43 “critical” gravity and 81 “high” severity.
- Seven known software vulnerabilities for having been actively operated by Malware
Software producers warned by the increase in attacks against cryptographic applications
2024 saw a parade of sophisticated attacks on the software supply chain targeting cryptocurrency exchanges, wallets and the applications of the end user. The attackers focused on cryptocurrencies used sophisticated and high techniques to access the applications and infrastructures of sensitive cryptocurrency. The report describes research on the malicious code detected in an established Python package, aiocpa.
The report also documents a series of malicious campaigns of the software supply chain targeting the development infrastructure and the code used by AI developers and automatic language model learning applications.
The researchers discovered a malicious technique nicknamed “nullifai” in which a malicious code was placed in pickle serialization files, while elected integrated protections into the open source platform embraced – a main resource for IA and ML developers.
