2023 saw twice as many software supply chain attacks as 2019-2022 combined. Sonatype logged 245,032 malicious packages in 2023. One in eight open-source downloads today poses known and avoidable risks. Vulnerabilities can still be prevented Nearly all (96%) vulnerabilities are still avoidable. 2.1 billion OSS downloads with known vulnerabilities in 2023 could have been avoided because a better, fixed version was available – the exact same percentage as in 2022. For every non-optimal component upgrade … More

The post The root cause of open-source risk appeared first on Help Net Security.