Malware has infiltrated open source ecosystems at an alarming rate, according to Sonatype’s 10th annual State of the Software Supply Chain.

According to the survey report, more than “512,847 malicious packages have been logged just in the past year, a 156% increase year-over-year,” highlighting the need for organizations to better understand and adapt their use of open source software.

Organizations continue to struggle with persistent vulnerabilities, such as Log4j, with 13% of downloads remaining vulnerable three years after the issue was first exposed, the report says. Specifically:

• 80% of application dependencies remain un-upgraded for more than a year, even though 95% of the vulnerable versions have safer alternatives available.
• 3.6% of dependencies are still vulnerable because they were updated to another insecure version.
• Reliance on end-of-life (EOL) components, which no longer receive updates, leads to the gradual breakdown of software integrity.

The report also states that “reducing persistent risk is possible by focusing on tools that help manage dependencies and apply real-time vulnerability detection.” For example, “projects using a Software Bill of Materials (SBOM) to manage OSS dependencies showed a 264-day reduction in mean time to remediate (MTTR) compared to those that did not.”

Read more at Sonatype.