Malware in Open Source Ecosystems Becomes Largest Threat to Supply Chains

What's more, organizations understand the risk, yet fewer than half plan to increase budgets for 2026.

Marina M Headshot
Marina Mayer
Apr 6, 2026
Endor Labs
Adam121 Adobe Stock 315095274
adam121 AdobeStock_315095274

Malware in open source software is no longer a fringe threat–it's accelerating at an unprecedented rate. In 2025 alone, more than 90% of open source vulnerability (OSV) malware advisories were reported, a 14-times increase over the past two years, while 92% of npm account takeovers (where maintainers of trusted open-source software (OSS) projects are compromised) also occurred last year, according to "Malware in Open Source Ecosystems,” produced by Endor Labs.

"Most application security programs were built around vulnerability management, not to detect malware in the software supply chain. Attackers understand this. AI coding agents, MCP servers, and model dependencies are creating new entry points, and we're already seeing an uptick in malware in open source ecosystems targeting AI coding agents," says Varun Badhwar, CEO of Endor Labs. "The gap between how fast attackers move and how fast organizations respond is widening, and without a coordinated, cross-functional approach, even strong controls fail in practice."

Key takeaways:

 

·        Despite widespread recognition of the threat, with 81% of organizations naming OSS malware a top security priority, only 21% enforce protections like cooldown periods, leaving attackers a widening window to exploit the software supply chain.

·        Organizations are treating OSS malware as isolated incidents rather than a coordinated security challenge.

·        While most understand the urgency (88% say the first few days after a package release are the riskiest), few take effective action, leaving their environments vulnerable to attackers who are increasingly hijacking trusted packages.

  • Malicious OSS surged in 2025, with advisories issued faster than organizations can respond. Even short-lived malicious versions can be automatically pulled into thousands of environments within hours.
  • Organizations understand the risk, yet fewer than half plan to increase budgets for 2026.
  • Many compromised packages remain downloadable even after being reported. Only 14% of previously compromised npm packages use modern security controls like Trusted Publishing. Fragmented responsibility across teams further increases exposure.
Latest in Risk/Compliance
Chatchanan Adobe Stock 923084100
How AI Turns Trade Chaos into Supply Chain Advantage
June 6, 2026
Bernice Adobe Stock 575699638
Freight Market Challenged With Getting Ahead of Supply Chain Disruptions
June 6, 2026
Ipopba Adobe Stock 268793354
Beroe and Kearney Launch AI-Native Decision Engine
June 5, 2026
Sdecoret Stock adobe com
Identity Verification Poses Biggest Risk to Supply Chains in 2026
June 5, 2026
Related Stories
Kaikoro Adobe Stock 245853295
AI/AR
Why the AI Pilot Era is Over
Andrii Adobe Stock 1222539989
Risk/Compliance
Liberation Day, One Year Later: Tariffs Still Rewriting Rules of Global Trade
Nikola Master Adobe Stock 197991316
Procurement Software
ActiveState Launches Secure Library of Open Source Components
Kras99 Adobe Stock 279325601
AI/AR
4 Ways Artificial Intelligence Drives Supply Chain Sustainability
More in Risk/Compliance
AI/AR
How AI Turns Trade Chaos into Supply Chain Advantage
Amberd.ai
The future of supply chain management lies in data unification and intelligent automation. Here's why.
Chatchanan Adobe Stock 923084100
Fleet Management
Freight Market Challenged With Getting Ahead of Supply Chain Disruptions
Uber Freight
Fuel costs, counter-seasonal truckload tightening, and regulatory changes are hitting the freight market simultaneously.
Bernice Adobe Stock 575699638
AI/AR
Beroe and Kearney Launch AI-Native Decision Engine
Beroe
MAX closes the gap between intelligence and decisive action, providing a unified view across cost, risk, and ESG.
Ipopba Adobe Stock 268793354
Risk/Compliance
Sheryl Toby
Risk/Compliance
Rick Bendix
Risk/Compliance
Michael J. Viscount, Jr.
Risk/Compliance
Identity Verification Poses Biggest Risk to Supply Chains in 2026
Incode Technologies
The biggest cyber risk is no longer just perimeter security; it’s an attacker successfully convincing your systems that they already belong.
Sdecoret Stock adobe com
Risk/Compliance
Elizabeth B. Baatz
Risk/Compliance
Robert Sherman
Risk/Compliance
Traditional Risk Management Systems Failing to Predict Supply Chain Disruptions
ProcureAbility, a Jabil company
68% of procurement organizations cite supply chain disruptions (geopolitical tensions, trade policy shifts, chokepoint disruptions) as the top challenge.
Bristy Adobe Stock 1639059679
Risk/Compliance
Evaluating Third-Party Partners for Security
Sovos
Today, businesses should focus on strategizing against third-party vulnerabilities. Here's how and why.
Nino Lavrenkova Adobe Stock 653191103
AI/AR
Tecsys’ New AI Capabilities to Reduce Shortages, Waste, Compliance Risk
Tecsys
The new AI agents are designed to help high‑stakes environments address critical supply chain challenges, including drug shortages, inventory waste, compliance risk and point‑of‑care documentation.
Jaykoppelman Adobe Stock 1272162717
Page 1 of 185
Next Page