Automation and AI-driven development are accelerating open source consumption, which reached 9.8T downloads, up 67 percent year-on-year, across the four largest registries, but attackers are moving just as fast according to the 2026 State of the Software Supply Chain report from Sonatype.
Data quality gaps and prioritization friction keep known vulnerable components circulating for longer than they should. Log4Shell, for example, reached 42 million downloads in 2025 despite fixed versions of Log4j existing for years. This means organizations today are exposed to a Critical vulnerability that was patched more than four years ago.
“In our eleventh year of this analysis, the open source bargain holds true: we all move faster because we share. What’s changed is the scale and the stakes. The commons is production infrastructure now, attackers know it, and AI puts the whole system on fast-forward,” says Brian Fox, co-founder and CTO of Sonatype. “Trust needs to align with the machine-level speed of software. That takes intelligence you can enforce in the workflow, not another report to read after an incident.”
When AI selects open source software components for enterprise applications, analysis of 37,000 recommendations shows GPT-5 hallucinated 27.8 percent of component versions and suggested actual malware packages when operating without real-time intelligence, meaning that without more rework, software relying on those upgrades breaks.
“The Sonatype State of the Software Supply Chain report is a touchstone of trends within open source development; one that will continue to resonate in the coming months as its wisdom is revisited after the next vulnerability or malware attack,” says Christopher Robinson, chief technology officer and chief security architect at the Open Source Security Foundation. “The report demonstrates how package repositories and the software housed within them are critical assets that need support if they hope to continue providing services to the developers and consumers using them. But this report does more than highlight trends — organizations can look to this analysis for actionable suggestions to move the ecosystem further toward a path of sustainability.”
You can get the full report from the Sonatype site.
Image credit: BiancoBlue/Dreamstime.com
