Open-Source Vulnerabilities Threaten Modern Software Supply Chains

Security analysts warn on 2 April 2026 that open-source vulnerabilities and malicious packages are creating systemic supply-chain risks for organizations of all sizes. Studies cited show about 65% of open-source CVEs lack CVSS scores (46% of those would be High), Sonatype found over 450,000 malicious packages in 2025, and AI agents frequently recommend outdated or incorrect dependencies. Companies must improve dependency visibility and vet agent outputs.
Key Points
- 1Report 65% of open-source CVEs lack CVSS scores; 46% would classify as High
- 2Show accelerating supply-chain risk: Sonatype detected over 450,000 malicious packages in 2025
- 3Advise practitioners to map full dependency trees, prioritize legacy components, and validate AI-suggested dependencies
Scoring Rationale
Timely, industry-wide analysis backed by credible sources (Sonatype, Tenable, Kaspersky) raises novelty and scope scores. Actionability is moderate—practical remediation steps suggested but limited technical depth. No freshness penalty applied (published today, 2026-04-02).
Sources
Public references used for this report.
Practice interview problems based on real data
1,625 SQL & Python problems across 15 industry datasets — the exact type of data you work with.
Try 250 free problems