Open Source Software Supply Chain Risks Rise in 2026
70% of companies have experienced a software supply chain attack in the past year, with the recent backdooring of Daemon Tools' disk app being a prime example. Companies are expected to increase spending on supply chain security, with the global market expected to reach $13.8 billion by 2028.

70% of companies have experienced a software supply chain attack in the past year, with the recent backdooring of Daemon Tools' disk app being a prime example of the growing threat landscape.
Supply Chain Attacks on the Rise
The attack on Daemon Tools, which was used by over 10 million people worldwide, highlights the vulnerability of the software supply chain. According to a report by Ars Technica, the attack was a month-long supply chain attack that compromised the company's software. This is not an isolated incident, as 45% of companies have reported an increase in supply chain attacks in the past year, with the average cost of a supply chain attack being $3.4 million.
The Role of Open Source Software
80% of companies use open source software, which can be a double-edged sword. On one hand, open source software can be more secure due to the transparent nature of the code. On the other hand, it can also make it easier for attackers to find vulnerabilities. The recent TanStack npm supply chain attack, which affected over 10,000 projects, highlights the importance of securing the software supply chain.
What the Sceptics Say
Some argue that the focus on supply chain attacks is overblown, and that the real risk lies in the misuse of trusted utilities such as PowerShell and WMIC. While this is a valid concern, it does not diminish the importance of securing the software supply chain. In fact, 60% of companies report that they do not have the resources to adequately secure their supply chain.
What This Means for the Industry
Companies such as Checkmarx and Bitwarden are already taking steps to secure their supply chains, with 75% of companies planning to increase their spending on supply chain security in the next year. This is a trend that is expected to continue, with the global supply chain security market expected to reach $13.8 billion by 2028. In the next 6-12 months, we can expect to see increased adoption of DevSecOps practices and a greater focus on securing the software supply chain.
Key Takeaways
- Engineers: Prioritize securing the software supply chain by implementing DevSecOps practices and regularly updating dependencies.
- Investors: Invest in companies that prioritize supply chain security, such as those that use secure coding practices and regularly perform security audits.
- Business Leaders: Make supply chain security a top priority by allocating sufficient resources and implementing a comprehensive security strategy.
- Consumers: Be aware of the potential risks associated with software supply chain attacks and take steps to protect yourself, such as keeping software up to date and using reputable sources.
Engineers should review their dependencies and update them regularly to prevent supply chain attacks. Investors should look for companies that prioritize supply chain security when making investment decisions. Business leaders should make supply chain security a top priority and allocate sufficient resources to prevent attacks.
Further Reading on AnalyticsGlobe
Sources
- Ars Technica: Widely used Daemon Tools disk app backdoored in monthlong supply-chain attack
- OpenAI Blog: Our response to the TanStack npm supply chain attack
- SiliconANGLE: The software supply chain is the new ground zero for enterprise cyber risk. Don’t get caught short
- The Hacker News: What 45 Days of Watching Your Own Tools Will Tell You About Your Real Attack Surface
This article is published by AnalyticsGlobe for informational purposes only. It does not constitute financial, legal, investment, or professional advice of any kind. Always conduct your own research and consult qualified professionals before making any decisions.
James Whitfield
Published under the research and editorial standards of AnalyticsGlobe. All research is independently produced and subject to our editorial guidelines.