CAMBRIDGE, Mass., March 12, 2025 (GLOBE NEWSWIRE) — ReversingLabs (RL), the trusted name in file and software security, today released its third annual Software Supply Chain Security Report. The 2025 report details the growing sophistication of software supply chain attacks fueled by widespread flaws in open-source and third-party commercial software, along with malicious campaigns targeting AI and cryptocurrency development pipelines.
According to RL data, open-source software remained a key element of supply chain risk in 2024. For example, incidents of exposed development secrets via publicly accessible, open-source packages rose 12% compared to 2023. And critical and exploitable software flaws continued to lurk in even the most widely used open-source packages. A scan of 30 open-source packages that account for more than 650 million total downloads across three leading open-source package managers found an average of 6 critical-severity and 33 high-severity flaws per package.
But open-source software is just one source of software supply chain risk. A scan by RL of more than two dozen widely used commercial-software binaries, including commercial and open-source operating systems, password managers, web browsers, and virtual private network (VPN) software, found evidence of software risks lurking in third-party commercial binaries. Many of the packages scanned by RL received a failing security grade due to the discovery of exposed secrets, actively exploited software vulnerabilities, evidence of possible code tampering, and inadequate application hardening.
“The 2025 report highlights the challenges faced by software vendors and their enterprise buyers,” said Mario Vuksan, Co-Founder and CEO of ReversingLabs. “First is the increasing sophistication of the attackers, and their willingness to invest years to plan and carry out their attacks. Second is the move beyond open source to target commercial software. This reinforces the need to establish better controls over the software we build and deploy. This is especially true with the rise of AI across the software supply chain.”
Industry analyst firm Gartner underscored this need for focus in its Gartner Security & Risk Management Summit 2024 London, saying that the “security of the software supply chain is now as critical as the security of the software itself.”
Additional key findings for the 2025 SSCRR report include:
Third-Party Commercial Software Is Targeted and Exposed
While much of the conversation about software supply chain security focuses on open-source software packages, the most prominent risks lie in closed-source, commercial software. To underscore this problem, RL scanned 20 distinct versions of VPN clients from six prominent vendors and found worrying trends including:
- Seven of the 20 VPN packages contained one or more patch-mandated and/or exploited software vulnerabilities.
- Four of the 20 VPN packages scanned contained exposed developer secrets
Serious Risks Continue to Lurk in Open-Source Packages
While prominent risks lay in third-party commercial software, open-source software modules and code repositories still accounted for the vast majority of supply chain risks in 2024. RL identified serious, exploitable software flaws, configuration errors, and other problems lurking in widely used open-source modules, which present a significant risk. Additional examples of open-source risks include:
- Rampant “code rot:” RL’s analysis of popular npm, PyPI, and RubyGems packages found that many widely used open-source modules contain old and outdated open-source and third-party software modules.
- RL’s scan of an npm package with close to 3,000 weekly downloads and 16 dependent applications, identified:
- No code updates in more than 7 years
- 164 distinct code vulnerabilities with 43 rated “critical” severity and 81 rated “high” severity.
- Seven software vulnerabilities that are known to have been actively exploited by malware
Attacks on Crypto Apps Send Warnings for Software Producers
2024 saw a parade of sophisticated software supply chain attacks targeting cryptocurrency exchanges, wallets, and end-user applications. The crypto-focused attackers employed sophisticated and high-touch techniques to gain access to sensitive cryptocurrency applications and infrastructure. The report outlines research on detected malicious code in an established Python package, aiocpa.
Threats to AI Supply Chains are Growing
The SSCS Report also documents a series of malicious software supply chain campaigns targeting development infrastructure and code used by developers of AI and large language model machine learning applications. RL researchers discovered a malicious technique dubbed “nullifAI” in which malicious code was placed in Pickle serialization files, while evading protections built into the Hugging Face open-source platform – a main resource for AI and ML developers.
To learn more about current and emerging trends in software supply chain risk, download the full report HERE and attend the upcoming RL webinar “The Year In Software Supply Chain Threats.”
Additional Reading
About ReversingLabs
ReversingLabs is the trusted name in file and software security. We provide the modern cybersecurity platform to verify and deliver safe binaries. Trusted by the Fortune 500 and leading cybersecurity vendors, RL Spectra Core powers the software supply chain and file security insights, tracking over 422 billion searchable files daily with the ability to deconstruct full software binaries in seconds to minutes. Only ReversingLabs provides that final exam to determine whether a single file or full software binary presents a risk to your organization and your customers.
Media Contact
Doug Fraim
Guyer Group
Doug@Guyergroup.com
