The number of incidents where malicious packages are uploaded to public component registries has exploded over the past year, showing that attackers increasingly favor this initial access tactic. According to data from software supply chain management company Sonatype, the number of malicious packages detected across the various open-source ecosystems tripled year over year.
“Looking at it a different way, it also indicates that in one year alone, we’ve seen twice as many supply chain attacks to the cumulative numbers in previous years,” Sonatype said in its annual State of the Software Supply Chain report.
