2026 State of the Software Supply Chain® report finds AI-driven development accelerates risk and expands attack surface, making enforceable AI guardrails essential for modern software

Fulton, Md. – January 28, 2026 – Sonatype®, the leader in AI-driven DevSecOps, today unveiled the 2026 State of the Software Supply Chain® report. Backed by Maven Central telemetry and Sonatype Security Research analysis of over 1.233 million malicious packages, 1.7 thousand vulnerability records, and 37 thousand AI-driven upgrade recommendations, the report provides the industry’s broadest and deepest view into how modern software is built. 

“In our eleventh year of this analysis, the open source bargain holds true: we all move faster because we share. What’s changed is the scale and the stakes. The commons is production infrastructure now, attackers know it, and AI puts the whole system on fast-forward,” said Brian Fox, Co-founder and CTO of Sonatype. “Trust needs to align with the machine-level speed of software. That takes intelligence you can enforce in the workflow, not another report to read after an incident.”

Automation and AI are accelerating open source consumption, which reached 9.8T downloads, up 67% year-over-year, across the four largest registries, and attackers are moving just as fast. The 2026 State of the Software Supply Chain report examines AI-driven software upgrade and security decisions, observing that without context and enforceable controls, AI can introduce new supply chain risk at the point of creation, leading to more rework for developers. Other key takeaways include:

• Automated and cloud-driven open source consumption are straining shared infrastructure: 86% of Maven Central traffic in 2025 came from Cloud Services Providers (CSPs), showing that build patterns are multiplying repeat downloads and increasing operational burden across the open source ecosystem.

• Open source malware surpasses 1.233 million packages, escalating in scale and sophistication: Nation-state attackers increasingly mimic trusted developer tools and leverage legitimate channels to reach build environments as automated self-replicating malware takes center stage with incidents like Shai-Hulud and IndonesianFoods. 

• Vulnerability risk persists despite available fixes: Data quality gaps and prioritization friction keep known vulnerable components circulating longer than they should. Log4Shell, for example, reached 42 million downloads in 2025 despite fixed versions of Log4j existing for years. This means organizations today are exposed to a Critical vulnerability that was patched more than four years ago.

• AI boosts output but introduces new supply chain failure modes without grounding: When AI selects open source software components for enterprise applications, analysis of 37K recommendations shows GPT-5 hallucinated 27.8% of component versions and suggested actual malware packages when operating without real-time intelligence, meaning that without more rework, software relying on those upgrades break.

• Software transparency is becoming a global expectation: Policy and regulations, like the Cyber Resilience Act and the AI Act, and customer requirements are converging on proof of provenance, contents, and control across the software lifecycle.

"The Sonatype State of the Software Supply Chain report is a touchstone of trends within open source development; one that will continue to resonate in the coming months as its wisdom is revisited after the next vulnerability or malware attack," said Christopher Robinson, Chief Technology Officer & Chief Security Architect at the Open Source Security Foundation. "The report demonstrates how package repositories and the software housed within them are critical assets that need support if they hope to continue providing services to the developers and consumers using them. But this report does more than highlight trends — organizations can look to this analysis for actionable suggestions to move the ecosystem further toward a path of sustainability."

“The takeaway from what we are seeing in the market is straightforward: AI should accelerate secure decisions, not uncertainty. IDC research indicates that developers accept an average of 39% of AI-generated code without revision, highlighting how often AI output is incorporated as-is,” said Katie Norton, Research Manager, DevSecOps and Software Supply Chain Security at IDC. “When paired with Sonatype's findings, the data suggests that AI-driven recommendations benefit from grounding in current supply chain intelligence and enforceable policy, so that increased development velocity does not expand the attack surface by default.”

The 2026 State of the Software Supply Chain report findings reinforce that, with the right context, AI tooling makes development safer and faster. In fact, research shows that the Sonatype Hybrid approach resulted in 2.1 times lower dependency upgrade cost and effort compared to the Latest Version strategy and 2.7 times lower compared to LLM recommendations. To integrate real-time open source intelligence into your AI-driven development, register for Sonatype Guide free: https://guide.sonatype.com/register.

To read or download the report, visit https://www.sonatype.com/state-of-the-software-supply-chain.

About Sonatype 

Sonatype is the leader in AI-driven DevSecOps. As the maintainers of Maven Central and creators of Nexus Repository, Sonatype has spent two decades pioneering how the world manages and secures open source software — making Sonatype the trusted authority for modern software supply chains. With unmatched open source visibility and a unified product suite built for modern software development, Sonatype gives enterprises the intelligence and automated governance they need to harness the full potential of open source and AI. Sonatype handles the complexity behind the scenes: guiding component and model selection, blocking harmful malicious code, automating dependency and vulnerability management, and ensuring faster, more reliable builds — so developers spend more time on innovation and less time on remediation and rework. Trusted by more than 15 million developers, Sonatype helps power secure, modern software development at nearly 2,000 global organizations including 70% of the Fortune 100. To learn more about Sonatype, please visit www.sonatype.com.

About the Analysis

The 2026 State of the Software Supply Chain combines aggregated, non-identifying open source registry telemetry (with Maven Central used as a primary lens where noted), Sonatype Security Research Team malware investigations (automated detection plus expert review using a consistent threat taxonomy), and a vulnerability data study of OSS-relevant NVD-assigned CVEs (evaluating coverage, scoring consistency, false positives/negatives, and timeliness), with results reported in aggregate as point-in-time snapshots. The report also measures vulnerable versus fixed consumption and analyzes enterprise dependency upgrades across major ecosystems (June–August 2025), comparing multiple upgrade strategies including an LLM/GPT-5 JSON approach. To assess how EOL dependencies create persistent, unpatchable exposure, Sonatype partnered with HeroDevs to examine the security impact of EOL software across modern supply chains.