The report outlines major shifts in software supply chain security, emphasizing growing visibility gaps and rising threats across open‑source ecosystems. Malicious packages are increasing, with PyPI surpassing npm as the top source of harmful uploads. Malware types are evolving, while PUA and protestware continue to spread. Developer secrets—especially private keys and service credentials—remain frequently exposed. As AI adoption rises, new risks emerge. Regulators are responding with updated guidance, signaling the move toward a post‑trust supply chain where continuous verification is essential.

Join for free to read