In a world increasingly defined by digital transformation, one of the most vital components of our technological infrastructure is also one of the most undervalued: open source software. It’s the lifeblood of modern development, forming the building blocks of applications, systems and services across industries. Yet despite its criticality, open source software often enters organizations without scrutiny, accountability, or even awareness. Why? Because it’s free.
This paradox—of software being both priceless and valueless—is at the heart of a growing crisis in software supply chain security. I recently sat down with Brian Fox, co-founder and CTO of Sonatype, to talk about the 2026 State of the Software Supply Chain report and discuss this issue in depth. What emerged was a striking picture of cognitive dissonance that threatens the very foundations of our digital ecosystem.
“Humans are terrible at assigning value to things that they themselves get for free. You know, the old tragedy of the commons kind of narrative,” Brian told me. “When you start looking at behaviors underneath the hood, you see tons and tons of waste.”
Fox added, “I used to think it was abuse, and there’s certainly some abuse, but I think it’s more unintentional waste in the form of just not thinking through how they use things.”
Brian knows a thing or two about this infrastructure. Through Maven Central, a repository managed by Sonatype, nearly all open source Java components are distributed to developers around the world.
Open source software is arguably one of the most mission-critical pieces of the internet and the devices and applications we rely on. Yet, as Brian points out, that importance is rarely matched by care or consideration.
Insights from the 2026 State of the Software Supply Chain Report
The newly released 2026 State of the Software Supply Chain report from Sonatype adds new urgency and data to this conversation. With open source downloads reaching a staggering 9.8 trillion across the top four registries—a 67% year-over-year increase—volume alone is reshaping the ecosystem.
But it’s not just the scale. The report reveals that over 1.233 million malicious packages were identified, showcasing how nation-state attackers increasingly mimic trusted developer tools. Alarmingly, many organizations continue to download known vulnerable components long after patches are available. Log4Shell, for example, was still downloaded 42 million times in 2025.
Even AI, while boosting development speed, is creating new supply chain vulnerabilities. Sonatype’s research found that GPT-5 hallucinated nearly 28% of component versions and, without real-time intelligence, even recommended malware. As Brian notes, “Trust needs to align with the machine-level speed of software. That takes intelligence you can enforce in the workflow, not another report to read after an incident.”
As Scott Crawford, head of information security research at 451 Research / S&P Global, notes, “These are not aspects of the technology supply chain that can be taken lightly. To preserve the value of OSS, its security and integrity must be responsibly—and consistently—addressed.”
Procurement Blind Spots and Governance Gaps
Crawford pointed out, “Open source software has long been touted for its security advantages—namely, that an involved community will be actively engaged in its development and maintenance, including for security issues and defects. But that assurance is only as good as that community engagement—and the expertise brought to the opportunity. What if neither materializes as expected? Or is inconsistent?”
According to Fox, though, the issue isn’t that open source maintainers aren’t doing their jobs. Quite the opposite. In fact, many open source projects patch vulnerabilities faster than their commercial counterparts. The problem is that there is no formal procurement process for open source components.
When organizations purchase commercial software, they follow a procurement process that includes legal review, vendor vetting and support contracts. With open source, none of that exists. Developers can grab a library from a public repository and have it running in production in minutes. The very thing that makes open source so powerful—its speed and accessibility—is also its Achilles’ heel.
“That’s why it became so popular. Developers get access to things and go really fast without having to go through a procurement cycle,” explained Brian. “The unintended consequence of that is nobody’s paying attention to what things are used in the organization, right? That’s the big root of the problem.”
That disconnect became painfully obvious just a few years ago during the Log4Shell crisis. A critical vulnerability in the widely used Log4j library led to a global scramble to patch systems. But even after extensive media coverage and government advisories, many organizations were slow—or entirely failed—to update. This wasn’t due to negligence so much as a lack of visibility and governance. If you don’t know what you’re using, how can you possibly manage the risk?
Bridging the Gap Between Value and Valuation
We need to rethink how we value and manage the open source software we rely on. That starts with recognizing it as the critical infrastructure it is.
As Richard Stiennon, chief research analyst at IT-Harvest, points out, “Open source software lends itself to abuse by wily hackers, but there is also a problem with commercial software pinning their own products on OSS, like Linux, for instance. A clever attacker could corrupt most software libraries in security products. We have to move away from all levels of trust in the software we use.”
It means establishing internal processes that treat open source components with the same rigor as commercial software. It means investing in tools and practices that provide visibility into what’s being used, where and whether it’s secure.
It also means acknowledging our collective responsibility. The companies benefiting from open source must support the ecosystems they depend on—whether through financial contributions, active participation, or simply using it more responsibly.
Until organizations bridge the gap between value and valuation, they will continue to expose themselves to avoidable risks. The software supply chain deserves better.
