Threats to the Open Source Software (OSS) Supply Chain and Outlook for 2025
OSS as an attack vector
Open source software (OSS) has become a significant threat vector over the past decade due to its widespread use and the lack of a shared responsibility model. With over 5 million OSS packages available, approximately 901 TP5T of modern code uses them, representing up to 801 TP5T of many companies' code bases. However, the lack of governance and transparency makes it an ideal target for supply chain attacks.
Supply chain attacks have increased by 431% since 2021 and will continue to pose a high risk in 2025. Since cybercrime is a return-on-effort business, compromising a single OSS package can lead to multiple breaches, affecting many companies simultaneously.
Supply chain specific threatsin OSS
- Lack of SBOM (Bill of Materials Software): OSS developers are not required to provide an SBOM, which reduces visibility into software dependencies and increases the risk of vulnerabilities.
- Inconsistent update management: Many OSS libraries are maintained with limited resources, making security updates irregular.
- Social and technical attacksCases like XZ Utils demonstrate how malicious actors can infiltrate OSS projects through social engineering techniques.
- Interference by foreign entities: Hostile organizations and states exploit the OSS ecosystem to introduce malicious code (e.g., Polyfill incident).
- Risk of critical vulnerabilitiesEvents like Log4j, Heartbleed, and Shellshock highlight the unpredictability and potential impact of large-scale vulnerabilities.
AI and OSS: New Security Challenges
Artificial intelligence (AI) is poised to be the major cybersecurity disruptor of 2025. The growing use of AI-based code generation tools, such as ChatGPT, exposes companies to new risks:
- “AI Package Hallucination”: Malicious actors can trick AI models into suggesting non-existent packages and then publish compromised versions to OSS registries like npm or PyPI.
- Vulnerabilities introduced by AIAI-based code synthesis can unintentionally generate security vulnerabilities.
- OSS AI modelsOpen-source AI models downloadable from platforms like Hugging Face pose similar risks to traditional OSS libraries.
OSS Supply Chain Defense Attempts
- SBOMsAlthough promoted by the US government with Executive Order EO14028, their adoption is still limited. Tools like npm sbom (a command that generates a Software Bill of Materials, SBOM) simplify dependency management, but it remains to be seen whether companies will use them on a large scale.
- AI BOMs: The industry is working to develop AI-specific SBOMs, such as ML-BOMs, to monitor datasets, algorithms, and dependencies.
- Tea ProtocolA new blockchain-based framework aims to improve the sustainability and security of OSS by rewarding developers and incentivizing vulnerability reporting. However, concerns exist about abuse and denial of service attacks in OSS registries.
Regulations and the Future of OSS Security
2025 will see increased regulation on software supply chain security, with regulations such as NIS2, DORA and ECRA in Europe and US initiatives such as CISA Secure by DesignHowever, reactive regulations could increase costs and push companies to reduce support for pure OSS, favoring closed-source or hybrid licensing alternatives.
Conclusion
OSS will continue to pose a risk to the software supply chain in 2025. While SBOMs, regulations, and new technologies provide defenses, no solution guarantees complete security. Companies must prepare for an evolving threat landscape by strengthening OSS governance and adopting proactive mitigation strategies.
Source: SecurityWeek.com
