By 2025, the world will not only produce more software. It will reuse more software, more frequently, at an unprecedented rate.
This is the central conclusion of the State of the Software Supply Chain 2026, the 11th Annual Report from Sonatype.. The document confirms what many teams already feel in the field: the software supply chain has definitively entered machine scale — and this profoundly changes the risk model.
While the previous report emphasized complexity and exposure, this year’s message is more structural: trust at scale is now the main technical and business challenge for modern software.
The numbers that define 2025
There are four indicators that summarize the current state of the open source ecosystem:
- 1,233,219 open-source malware packages registered since 2019
- 9.8 billion downloads in 2025 (Maven Central, PyPI, npm, and NuGet)
- 27.76% “hallucination” rate in update recommendations made by LLMs.
- 65% of open-source vulnerabilities remained unclassified by CVSS in NVD.
These figures reveal a growing mismatch between the scale of consumption and the maturity of control mechanisms.
Innovation has accelerated. Governance has not kept pace.
When growth meets gravity
Major public records projected 9.8 trillion downloads by 2025. However, this growth does not necessarily mean more innovation. A significant portion of the traffic results from poorly configured CI/CD pipelines, ephemeral environments without persistent caching, redundant re-downloads, and unnecessary transitive dependencies.
Open source isn’t the problem. The lack of consistent control is.
The report distinguishes between two phenomena: organic growth and synthetic growth. The first reflects legitimate adoption—cloud, AI, new frameworks. The second results from uncontrolled automation, spam publishing, and malware campaigns.
Open-source malware: from exception to recurring model
2025 marks a turning point. An additional 454,000 new malicious packages were identified in a single year, bringing the cumulative total to over 1.2 million. More than 99% of this malware was published on npm.
The attacks have become more sophisticated: multi-stage campaigns, credential exfiltration, hijacking of popular packages, and activity associated with state-sponsored groups. The target is no longer just the end application; it has become the development process itself, including developers, pipelines, and the systems where tokens and credentials reside.
Vulnerabilities: Three layers of failure
The report identifies weaknesses at three distinct levels.
Data layer.
65% of open-source CVEs lacked official CVSS classification. Without reliable metrics, risk prioritization becomes arbitrary and inconsistent.
Consumer layer.
Even when patches are available, vulnerable versions continue to be downloaded en masse. Operational inertia and forgotten dependencies perpetuate avoidable risk.
Ecosystem layer.
The increasing use of end-of-life (EOL) software transforms known vulnerabilities into structural debt.
These flaws are not isolated; they reinforce each other.
AI: Productivity without validation is an amplified risk.
Artificial intelligence is already integrated into the daily routines of development teams. Code assistants and upgrade suggestion tools promise efficiency, but the report reveals a critical limitation:
27.76% of upgrade recommendations made by LLMs pointed to non-existent versions.
When these suggestions go directly into automated pipelines, the error scales. Models trained with static data do not validate the actual existence of the versions they suggest, nor do they track the dynamic evolution of public records.
AI can be a powerful accelerator — provided it is anchored in up-to-date sources of truth and automated verification mechanisms. Without this framework, it transforms small inaccuracies into operational risks.
Transparency as a structural requirement
Trust in the supply chain is no longer merely a matter of declaration. SBOMs (Safety, Quality, and Manufacturing), certificates of origin, and traceability have become regulatory and contractual requirements in several markets.
Trust is no longer just talk. It has become a technical tool.
The implication is simple: safety evidence should be generated automatically during the build process and integrated into continuous delivery pipelines. Organizations that internalize this principle reduce regulatory friction, simplify audits, and strengthen their competitive position.
What does this mean for Portuguese organizations?
For organizations in Portugal, these trends translate into a clear need: to professionalize the governance of the software supply chain.
This involves consolidating internal repositories, applying explicit consumption policies, distinguishing between actually used dependencies and irrelevant transitive dependencies, and integrating Software Composition Analysis tools with up-to-date and contextualized data.
More than just technology, it’s about aligning engineering, safety, and management.
It is within this framework that homeostase, as a partner and official reseller of Sonatype in Portugal, supports organizations in implementing solutions that allow them to gain visibility, reduce risk, and respond to regulatory demands with technical confidence.
Scaled trust as a strategic decision
Sonatype’s 11th Annual Report shows that the central challenge of modern software is not innovation, but rather sustaining innovation within an ecosystem that operates at machine scale. Speed will continue to increase. Automation will become ever more profound. Regulatory pressure will not diminish.
Competitive advantage belongs to organizations that can combine speed with control and transparency with efficiency.
Trust at scale is not a technical detail; it’s a strategic decision. And it’s this decision that defines who leads—and who merely reacts—in the next phase of digital transformation.
Source here.
