1、12025 ReversingLabs,Inc.All Rights ReservedTRUST DELIVEREDA Message from Our CEO 4Report Highlights 5Executive Summary 6Key Trends 7Software Supply Chain Attacks Level Up 7Crypto:A Canary in the Coalmine for Supply Chain Security 7Focus:Crypto in the Crosshairs 8The XZ Utils Backdoor 10State-Actor A

2、ttacks on Development Organizations 10Serious Cyber Risks Lurk in Commercial Binaries 10Commercial Binaries:What You Dont Know Is Already Hurting You 10Focus:Commercial Softwares Seven Deadly Sins 11Hack of JAVS Highlights Risks Lurking in Commercial Apps 13Implanted Backdoor Delivers RustDoor Malwa

3、re 13JAVS Differential Analysis Exposes Signs of Tampering 14Links to Ransomware Groups 15Lesson Learned:Dont Trust,but Verify Commercial Binaries 15The Great Unpatched:Open-Source Risks Persist 16Vulnerable and Popular:Serious Risks Lurk In Open-Source Packages 16Critical and Patch-Mandated Flaws T

4、aint Popular Packages 17Mind the Rot 19Who Pays for Vulnerable Code?Customers.19Focus:Serious Risks Lurk in Torchvision Python Package 21Leaked Secrets Persist on Open-Source Repositories 22Development Secrets Leaks Jump 12%22Google,AWS(Still)Fertile Ground for Exposed Secrets 23Secrets Leaks a Comm

5、on Thread in Supply Chain Attacks 24GitGot?GitHub Features Exploited by Malicious Actors 25Malicious Campaigns Crop Up on NuGet,VS Code 25A Drop in Open-Source Malware 26CVEs Lose Relevance 27Cracks in the NVD Emerge 27Vulnrichment to the Rescue?29Imagining a Post-CVE Future 30Supply Chain Incidents

6、 2024 31Table of Contents2025 ReversingLabs,Inc.All Rights Reserved2What Comes Next 32AI/ML Supply Chain Risks Get Real 32Organizations Level Up Their Software Supply Chain Security 33Nth Party Risk:Thinking Beyond the SBOM 33Our Methodology 34CVE and Vulnerability Data 34Security Policies 35OpenSSF