Safeguard
Open Source Security

5 risks of open source software in 2026

Open source now makes up most enterprise code. Here are 5 risks defining open source software security in 2026 — and how to close the exploitability gap.

Safeguard Research Team
Research
Updated 7 min read

SAN FRANCISCO — January 2026. Open source now accounts for the vast majority of the code running in production — most audits of enterprise codebases put the open source share of a typical application at 70% to 90% of total code volume. That dependency has paid off in speed and cost savings for over two decades, and the open source system underpinning most software today has also become the single largest attack surface most organizations manage without a dedicated owner. Heading into 2026, security teams are contending with a supply chain that is bigger, more automated, and more actively targeted than at any point since the Log4Shell disclosure reset the industry's risk calculus in late 2021.

The past eighteen months have supplied plenty of evidence that the threat is not theoretical. The XZ Utils backdoor (CVE-2024-3094), discovered in March 2024, showed that a patient, multi-year social-engineering campaign could insert a remote-code-execution backdoor into a compression library embedded in most Linux distributions — and that it could get within weeks of shipping in stable releases before a single engineer noticed a performance anomaly. Package registries including npm and PyPI have continued to report thousands of malicious package takedowns per year, and the rise of AI-assisted coding has introduced an entirely new failure mode: developers asking coding assistants for a library and installing whatever plausible-sounding package name the model hallucinates, some of which attackers have preemptively registered and weaponized.

Against that backdrop, here are five risks defining open source software security in 2026 — and what security and platform teams need to be doing about each one.

1. Malicious and compromised packages are now a volume business

Attackers no longer wait for a maintainer's credentials to be phished before compromising a package. Typosquatting (publishing reqeusts instead of requests), dependency confusion (publishing a public package with the same name as an internal private one), and maintainer account takeovers via credential stuffing or expired-domain email hijacks have all matured into repeatable playbooks with documented success rates. The XZ Utils incident escalated the threat model further: it demonstrated that a sufficiently patient adversary can spend years building trust as a legitimate co-maintainer before inserting a backdoor tuned to evade routine review. Registries have added stronger publisher verification and 2FA requirements over the past two years, but the sheer scale of npm (over 3 million packages) and PyPI (over 600,000 projects) means detection still leans heavily on the community reporting anomalies after the fact, not before.

2. Transitive dependencies are where the real exposure lives

Most organizations can name their direct dependencies. Very few can name the 200 or so transitive dependencies that each of those direct dependencies pulls in. Modern JavaScript and Java projects commonly resolve to dependency trees several hundred packages deep, and a vulnerability introduced four or five levels down a tree is invisible to teams that only scan their manifest file. This is precisely the pattern that made Log4Shell so devastating in 2021: Log4j was rarely a direct dependency, it was buried inside other frameworks and libraries, and organizations spent months just discovering where it was running before they could even start remediation. Five years later, transitive risk remains the largest blind spot in most vulnerability management programs, and the average time-to-patch for a critical transitive CVE still lags direct dependencies by a wide margin according to multiple industry supply-chain reports.

3. Alert fatigue is turning "scan everything" into "fix nothing"

The default response to open source risk has been to bolt on a software composition analysis (SCA) scanner — commercial or open source, from Semgrep's open source rules engine to any of the SaaS platforms — and flag every CVE that matches an installed package version. The result, well documented across the industry, is thousands of findings per repository, the overwhelming majority of which point to code paths that are never actually called at runtime. Security teams triaging by CVSS score alone routinely spend their sprint capacity patching dependencies that pose no real exploitability in their specific application context, while genuinely reachable, exploitable vulnerabilities sit unaddressed in the backlog because they didn't happen to score above a threshold. Backlogs in the thousands-of-open-findings range are now common at mid-size and large engineering organizations, and developer trust in the scanner degrades every time a "critical" ticket turns out to be dead code.

4. Maintainer burnout and single-point-of-failure projects

A large share of the open source ecosystem is maintained by remarkably few people. Analyses of critical infrastructure libraries have repeatedly found that a meaningful percentage of widely-depended-upon packages are maintained by a single person, often unpaid, often in their spare time. That is exactly the condition that made the XZ Utils social-engineering attack possible in the first place: a maintainer under real personal and professional strain accepted help from a persistent, seemingly cooperative contributor who had been building credibility for roughly two years. Abandonment risk compounds this: packages that go unmaintained don't get archived, they keep getting downloaded, and their unpatched vulnerabilities keep aging into production systems that have no idea the upstream project is effectively dead.

5. AI-generated code is accelerating dependency sprawl — and inventing new attack vectors

2026 is the first year where a substantial share of new code in many organizations is AI-generated or AI-assisted, and that shift is reshaping open source risk in two distinct ways. First, volume: AI coding assistants make it trivially easy to pull in a new package for a task that previously would have been hand-rolled, and each new dependency is another unreviewed entry in the SBOM. Second, and more novel, is "slopsquatting" — attackers registering the plausible-but-nonexistent package names that large language models are statistically prone to hallucinate when asked to recommend a library, then loading those packages with malicious payloads and waiting for developers (or agentic coding tools) to install them automatically. Researchers studying LLM code generation have found hallucinated package suggestions occur often enough, and are consistent enough across repeated prompts, that they're a reliably exploitable pattern rather than a rare edge case — turning a productivity feature into a new, largely un-audited supply chain entry point.

The common thread

Each of these risks looks different on the surface — a backdoored maintainer, a buried transitive dependency, an unreachable CVE clogging a backlog, an abandoned single-maintainer project, a hallucinated package name — but they share a root cause: most organizations still assess open source risk by what's installed rather than by what's actually exploitable and reachable in their running application. Inventory without context produces exactly the alert fatigue and misallocated remediation effort described above. Fixing that gap is the difference between a security program that reacts to headlines and one that closes real exposure before attackers find it.

How Safeguard Helps

Safeguard is built around closing that gap between "installed" and "exploitable." Our reachability analysis traces call paths from your application's actual entry points down through direct and transitive dependencies, so teams can immediately see which of their thousands of open findings are truly exploitable versus dead code — cutting remediation backlogs down to what actually matters. Griffin AI, Safeguard's AI-powered detection and triage engine, continuously monitors dependency behavior and registry activity to flag anomalies consistent with malicious packages, typosquatting, and slopsquatting patterns before they reach production. Safeguard generates and ingests SBOMs automatically across your build pipeline, giving you a living, continuously updated inventory of every direct and transitive component — including ones introduced by AI-assisted development — rather than a point-in-time snapshot. And when a reachable, exploitable vulnerability is confirmed, Safeguard's auto-fix PRs propose the patched dependency version directly in your workflow, turning triage into a merge-ready fix instead of another open ticket.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.