Software packages affected by supply-chain attacks are down, but more customers are impacted

In 2024, the number of software packages affected by supply-chain cyberattacks dropped significantly, with only 590 packages impacted—a 98% decrease from the previous year. However, despite the decline in the number of attacks, the number of customers affected more than doubled, with nearly 297,000 customers impacted, up from about 139,000 in 2023.

Social engineering was identified as the most common attack method, particularly targeting open-source code, which remains a significant security risk due to its lack of control. Industry experts, including Joe Saunders of RunSafe Security, emphasized the ongoing challenges posed by these attacks and stressed the importance of securing the software development process, especially when dealing with open-source components.