Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
Bad actors have pumped the brakes when it comes to software supply-chain cyberattacks, but are continuing to accrue a hefty victim list.
Newly published data presented by data analytics platform Stocklytics shows that only 590 software packages were affected by a supply-chain attack in 2024, a 98% decrease from the year prior.
Comparitech data on worldwide supply-chain attacks provides more color on the nature of these attacks. Social engineering was the most common form of attack on suppliers during software supply-chain incidents this year. Joe Saunders, founder and CEO of RunSafe Security, told IT Brew that the attack form has been a problem and will “continue to be a problem.”
“You can just imagine how easy [it is] for somebody to click on a message they received either in social media or an email, not realizing that it’s a result of some kind of software attack that comes from it,” Saunders said.
Meanwhile, open-source code was most likely to be an attack target in software supply-chain attacks in 2024. Comparitech data, which is reflective of attacks that have occurred year to date, shows that open-source code was targeted in about 198 supplier attacks in 2024. Ron Fabela, field CTO of XONA Systems, told IT Brew that this is no surprise as it is a “common thread” to say that open source is more “insecure” and a large supply-chain risk.
“It’s mostly because they have little or no control over the open-source code itself,” Fabela said.
Consumers beware. While more software packages were able to dodge these malicious attacks this year, software supply-chain attacks continue to pose a significant risk to the public. According to Comparitech data, about 296,688 customers were impacted by software supply-chain attacks in 2024, more than twice the amount of customers impacted in 2023 (138,624). XONA Chief Marketing Officer Roark Pollock told IT Brew that the number of customers affected by software supply-chain attacks will continue to see “big spikes” because of how a single attack can have “such a far reaching impact.”
Saunders added that the number of organizations affected by these attacks will also likely increase at a higher rate than the number of attacks due to the rising adoption of open-source software, which has continued to be targeted as an attack vector by cybercriminals. He recommended that professionals double down on protecting the tooling used to produce software and understanding the risks associated with open-source software used to mitigate the threat of supply-chain attacks.
“You want to administer the best practices in your build process within your environment and then you want to insert security in the software,” Saunders said. “So, wherever it goes downrange, it’s also secure.”