Upstream risk in the software supply chain remains a real threat, with 245,032 malicious packages detected in 2023 already – and developers making a wince-inducing 2.1 billion open source software (OSS) downloads of packages with known vulnerabilities over the past year.
Bad Behaviour and Dirty Downloads: 2.1 billion OSS packages with known vulns downloaded this year.
Strikingly, only 11% of open source projects are ‘actively maintained'. Should you be worried? Well, probably, yes.