The 2025 Software Supply Chain Security Report from ReversingLabs reveals how cyberattacks on software supply chains grew in sophistication throughout 2024, targeting AI, cryptocurrency, open‑source projects, and commercial software. The report highlights alarming trends, including state‑actor campaigns, backdoors in widely used libraries like XZ Utils, and malware hidden in commercial binaries such as JAVS.
Key findings show a 12% increase in developer secret leaks, widespread vulnerabilities in popular open‑source packages, and exploitable flaws in commercial applications. Despite a decline in open‑source malware instances, organizations remain at risk due to insecure code, tampering, and exposed data. The report also underscores the fragility of traditional vulnerability management, with cracks emerging in the CVE/NVD system, leaving enterprises without reliable risk intelligence.
Commercial software is identified as a major blind spot, with “seven deadly sins” including malware, file rot, licensing issues, tampering, exposed secrets, poor hardening, and unpatched vulnerabilities. These flaws, often overlooked by vendors, create opportunities for cybercriminals and nation‑state actors to infiltrate enterprise environments.
The report emphasizes the need for modernized defenses, including deeper visibility into binaries, actionable SBOMs, and advanced analysis techniques. It calls for organizations to demand transparency from suppliers, adopt proactive monitoring, and rethink reliance on CVEs alone.
By examining incidents across AI ecosystems, crypto platforms, and commercial applications, the report provides actionable insights for enterprises to strengthen their software supply chain security. With attacks escalating in scale and sophistication, organizations must prepare for a future where securing both open‑source and commercial software is critical to protecting operations, data, and reputation.
