Malicious activity within software supply chains has evolved from opportunistic abuse into “sustained, industrialised” threats.
This shift is creating a “systemic risk” to economic stability, national infrastructure, and public trust. Shane Barney, CISO of Keeper Security, suggests that for enterprises and public sector organisations, this reality “directly challenges traditional assumptions about software provenance, trust, and accountability.”
The scale of the issue is driven by the volume of external code consumption. Sonatype research recently found that developers downloaded components 9.8 trillion times last year across Maven Central, PyPI, npm and NuGet. However, many of these contained malware or vulnerabilities. The security vendor discovered 454,648 new malicious packages last year, noting that threats are now often state-sponsored.
Governance and visibility
Barney argues that the sheer volume of interaction between internal codebases and external repositories transforms the nature of software supply chain threats. “The scale of malicious open-source activity outlined in Sonatype’s latest report should be treated as both a governance issue and a technical one,” Barney said.
The industrialisation of these campaigns means attacks are no longer just “spam and stunts”. Instead, they are “sustained, well-resourced cyber operations that deliberately exploit trust in widely-used development platforms.”
Effective mitigation requires moving beyond individual developer responsibility. “Open-source risk cannot be managed solely at the developer level,” Barney stated. “Effective mitigation requires executive ownership and policy-driven controls that treat software supply chain security as an organisational responsibility.”
This starts with visibility. Organisations must know “what code is being used, including comprehensive Software Bills of Materials (SBOMs), but must extend further into how access is governed, enforced, and monitored across development environments.”
Credential security for a new era of software supply chain threats
A primary objective of these campaigns is to compromise identity. “Attackers consistently target credentials, secrets, and privileged access because they provide the fastest path to scale,” Barney observed.
To limit the blast radius when a component is compromised, organisations must enforce strict architectural controls. “Centralising credential management, enforcing least-privilege access, and maintaining detailed audit trails are essential to limiting exposure when malicious components inevitably slip through.”
Barney adds that “securing API keys and developer secrets in protected vaults further reduces the ability of attackers to move laterally or escalate privileges following a compromise.”
Ensuring organisational resilience
The implications of these risks place them firmly on the agenda for senior leadership. “For boards, regulators, and senior leaders, software supply chain security is now a matter of organisational resilience and national interest,” Barney said.
The cost of underestimating this shift is high. “Treating it as anything less leaves institutions exposed to threats that are increasingly strategic, persistent, and difficult to contain once embedded.”
Organisations must decouple secrets from their codebases and implement automated SBOM generation. By treating dependency management as a board-level governance issue rather than a developer task, technical leaders can build resilience against industrialised supply chain attacks.
See also: Sonatype: Open-source consumption jumps 67%
Want to learn more about cybersecurity from industry leaders? Check out Cyber Security & Cloud Expo taking place in Amsterdam, California, and London. The comprehensive event is part of TechEx and is co-located with other leading technology events including the AI & Big Data Expo. Click here for more information.
Developer is powered by TechForge Media. Explore other upcoming enterprise technology events and webinars here.
