In recent years, the adoption and growth of open source software (OSS) have soared, with 2024 set to break records, projecting over 6.6 trillion downloads by year-end. The vast influence of open source now underpins nearly every aspect of software development.

However, this rapid expansion also brings unprecedented challenges.

In our recently published 2024 State of the Software Supply Chain report, we dig into the scale of open source and highlight both the remarkable expansion of its ecosystems and the increasing threats posed by malicious actors.

Let’s explore key insights and statistics from the report to understand the scale of open source adoption and the security challenges it brings.

Explosive Growth Across Ecosystems

One of the most notable points from the report is the sheer growth in open source downloads across multiple ecosystems:

• npm, the JavaScript ecosystem, continues to dominate with 4.5 trillion requests in 2024, marking a 70% year-over-year growth.

• PyPI, the Python ecosystem, is the fastest-growing ecosystem, expected to reach 530 billion requests by year-end, an 87% YoY increase​.

• The Maven Central ecosystem (primarily used by Java developers) is projected to handle 1.5 trillion requests in 2024.

This rapid expansion highlights the widespread adoption of open source components across various industries. However, not all growth is genuine. Ecosystems like npm have experienced a rise in “spam” packages — malicious or low-quality packages published with ill intent.

The Rise of Malicious Packages

As the availability of open source components continues to grow, there is a concerning increase in open source malware. Over the past year, Sonatype has documented more than 512,847 malicious packages, marking a 156% rise compared to the previous year.

The npm ecosystem has been hit particularly hard, with malicious packages distorting its growth statistics. This influx of bad actors has forced (Read more...)