SiliconAngle reports that malicious open-source packages reached 512,847 during the past 12 months, a 156% year-over-year increase, as downloads for open-source software exceeded 6.6 trillion, most of which were for JavaScript requests.
Such escalating threats, which are exacerbated by being increasingly undetected by traditional security software, have not corresponded to improved security practices, with 95% of flawed OSS components still being downloaded during the past year despite the availability of more secure versions, according to a study from Sonatype. Organizations have also failed to update 80% of application dependencies for more than a year despite the presence of safer versions while vulnerabilities are taking longer before being remediated likely due to excessive maintainer workloads. Additional findings also showed limited utilization of software bills of materials, with published SBOMs totaling only 60,000 during the past year, compared with almost 7 million newly published open-source components during the same period.
