If 2023 was the year the software industry acknowledged supply chain security as a problem, 2024 was the year it felt the consequences of not solving it fast enough. From a single EDR update crashing 8.5 million machines to state-sponsored threat groups industrializing package poisoning, 2024 delivered a relentless series of lessons about the fragility of modern software supply chains.
Here is what happened, what it meant, and where the industry stands as we head into 2025.
The Incidents That Defined 2024
CrowdStrike Falcon Outage (July 19)
The year's most consequential supply chain event was not a cyberattack. A faulty content update to CrowdStrike's Falcon sensor caused 8.5 million Windows systems to crash, grounding airlines, disrupting hospitals, and shutting down banks worldwide. The estimated economic impact exceeded $10 billion.
The incident demonstrated that security tools themselves are supply chain dependencies with catastrophic failure potential. It also exposed the absence of staged rollout practices for many security vendor updates and the painful reality that mass remediation of unbootable systems is a manual, time-intensive process.
VPN and Edge Appliance Vulnerability Epidemic
2024 saw an unprecedented volume of critical vulnerabilities in network security appliances:
- Ivanti Connect Secure (CVE-2024-21887, CVE-2023-46805): Chained zero-days exploited by Chinese state-sponsored groups.
- Fortinet FortiOS (CVE-2024-21762): Out-of-bounds write exploited in the wild.
- Palo Alto PAN-OS (CVE-2024-3400): Command injection in GlobalProtect gateway.
- FortiManager (CVE-2024-47575): FortiJump zero-day for unauthenticated access.
- SonicWall SonicOS (CVE-2024-40766): SSL VPN access control bypass.
- Cisco ASA/FTD (CVE-2024-20481): DoS via brute-force attacks.
The pattern was consistent: internet-facing devices with complex, proprietary codebases yielding critical, unauthenticated vulnerabilities that were exploited within days of disclosure (or before disclosure, in the case of zero-days).
Malicious Package Campaigns at Scale
State-sponsored and criminal actors continued to poison open-source package registries:
- North Korean threat groups published hundreds of malicious npm packages through the "Contagious Interview" campaign.
- Python typosquatting campaigns grew more sophisticated, with malicious packages mimicking popular libraries.
- The XZ Utils backdoor (CVE-2024-3094), discovered in March, revealed a years-long social engineering campaign to compromise a critical Linux compression library.
The XZ Utils incident was particularly alarming. A threat actor spent two years building trust with the maintainer of a low-profile but widely used Linux utility, eventually gaining commit access and inserting a sophisticated backdoor. The backdoor was discovered by accident just before it propagated to stable Linux distributions.
CI/CD and Build System Attacks
Multiple incidents highlighted the vulnerability of build and release infrastructure:
- GitHub Actions artifact poisoning techniques were disclosed, showing how attackers could inject code through CI/CD trust assumptions.
- GitLab addressed four critical pipeline execution vulnerabilities throughout the year.
- Several open-source projects discovered that their release artifacts had been tampered with during the build process.
Regulatory and Standards Developments
EU Cyber Resilience Act
The CRA was finalized in 2024, establishing mandatory cybersecurity requirements for products with digital elements sold in the EU. Key provisions include:
- Mandatory vulnerability handling processes for manufacturers.
- SBOM requirements for all software products.
- Reporting obligations for actively exploited vulnerabilities.
- Significant fines (up to 15 million EUR or 2.5% of global turnover) for non-compliance.
The compliance timeline gives manufacturers until 2027, but organizations selling into the EU market need to start preparing now.
US Federal SBOM Requirements
Federal agencies continued to expand SBOM requirements in procurement:
- The Department of Defense finalized its SBOM policy, requiring SBOMs for all new software acquisitions.
- CISA published updated SBOM sharing and lifecycle guidance.
- OMB Memorandum M-22-18 implementation continued, with agencies beginning to enforce self-attestation requirements for critical software.
NIST NVD Crisis and Recovery
The NIST National Vulnerability Database experienced significant disruptions starting in February 2024, with a growing backlog of CVEs awaiting enrichment and analysis. By mid-year, tens of thousands of CVEs had been published without NVD analysis.
The NVD Consortium, announced in late 2024, aims to address the resource constraints that caused the backlog. But the disruption highlighted the danger of depending on a single vulnerability data source.
Open Source Security Initiatives
OpenSSF Progress
The Open Source Security Foundation (OpenSSF) continued to drive ecosystem-wide security improvements:
- Launch of the SIREN mailing list for sharing open-source security threat intelligence.
- Expansion of the Alpha-Omega project funding critical open-source security improvements.
- Progress on Sigstore adoption across major package managers.
- Development of GUAC (Graph for Understanding Artifact Composition) for supply chain data analysis.
Package Manager Hardening
Major package registries took concrete steps to improve security:
- npm enforced 2FA for all maintainers of packages with significant download counts.
- PyPI expanded the Trusted Publishers program and improved malicious package detection.
- Homebrew began publishing build provenance attestations.
- Go's module ecosystem continued to benefit from its checksum database and minimal version selection.
Lessons Learned
Everything Is a Supply Chain Dependency
The CrowdStrike outage proved that security tools, operating system components, and infrastructure services are all supply chain dependencies. Organizations cannot limit their supply chain analysis to application-level dependencies.
Patch Velocity Is a Competitive Advantage
The gap between vulnerability disclosure and exploitation shrank to days throughout 2024. Organizations with automated patch management and rapid deployment capabilities weathered the storm. Those with multi-week change management processes were repeatedly caught exposed.
Open Source Sustainability Is a Security Issue
The XZ Utils incident highlighted that critical open-source software is often maintained by individuals without adequate support. When a single burned-out maintainer is the bottleneck for a component installed on millions of systems, the entire supply chain is at risk.
Visibility Is Foundational
Every major incident in 2024 was made worse by organizations not knowing what software they were running. Whether it was identifying which systems had vulnerable VPN firmware, which applications depended on a compromised package, or which machines were running the CrowdStrike sensor, the ability to quickly answer "where is this in our environment?" was the differentiator between effective and chaotic response.
The State of the Industry
As 2024 ends, the software supply chain security industry is in a state of rapid maturation:
Tooling has improved significantly. SBOM generation, vulnerability scanning, and package analysis tools are more accurate and comprehensive than they were a year ago.
Standards are converging. CycloneDX and SPDX continue to evolve, VEX (Vulnerability Exploitability eXchange) is gaining adoption, and the in-toto framework for supply chain integrity is maturing.
Awareness is at an all-time high. The CrowdStrike outage alone ensured that every CISO and CTO in the world now understands what a software supply chain incident looks like.
Practice still lags. Despite improved tooling and awareness, most organizations still do not have comprehensive SBOMs, do not monitor their full dependency tree for vulnerabilities, and do not have automated policies for supply chain governance.
The gap between awareness and practice is the defining challenge for 2025.
How Safeguard.sh Helps
Safeguard.sh exists to close the gap between supply chain security awareness and operational practice.
- Automated SBOM generation provides continuous, comprehensive visibility into every component in your software supply chain, from application dependencies to infrastructure appliances.
- Real-time vulnerability monitoring correlates your SBOM against multiple vulnerability intelligence sources, ensuring rapid detection of newly disclosed threats.
- Policy automation codifies your supply chain security requirements as enforceable policies, transforming aspirational security standards into operational controls.
- Regulatory compliance support generates the documentation and evidence needed for CRA, federal SBOM requirements, and other regulatory mandates.
2024 taught us what happens when supply chain security is treated as an afterthought. 2025 is the year to make it operational.