By Brian Fox, CTO of Sonatype

As 2024 comes to a close, the cybersecurity landscape has been marked by a surge in threats, particularly within open source ecosystems. Recent research reveals that malicious open source packages have surpassed 778,500, with developers - especially in government and financial sectors-becoming prime targets. This year has underscored how the growing reliance on open source tools, particularly for AI development, can introduce new vulnerabilities into software supply chains. Reflecting on these developments with my colleagues, we've compiled a set of predictions for 2025 that highlight the risks and the new battlegrounds we'll face in defending our software ecosystems.

My thoughts:

• An AI "Wild Wild West" Will Have Consequences for Cybersecurity

As with any change of hand, a new administration means hitting reset on the current administration's initiatives. Over the last four years, there has been an uptick in Executive Orders centered around cybersecurity strategies and AI guardrails, but those constraints could come off next year - and it could have major implications for businesses. Failing to balance innovation with safety and security will lead to further weaponization of AI in cyberattacks, and it will be incredibly difficult to stop them.

• EU Regulations Will Influence US Companies To Change Their Cybersecurity Practices

As organizations operate on a global scale, the changing regulatory landscape will transform how they engage with open source next year. With EU policies driving an increased focus on software integrity and security, US businesses will need to ensure their open source components meet the new standards or risk facing significant financial penalties and reputational damage. Regardless of regulatory requirements in the United States, the stricter scrutiny and rising demand for greater transparency across the pond will force US organizations to adopt more detailed Software Bills of Materials (SBOMs) and clearer vulnerability reporting of their open source projects.  

Mitchell Johnson, Chief Product Development Officer at Sonatype

• Automation Will Define Security Winners and Losers

AI's impact on software development in the coming year will be impossible to ignore. Tools like generative AI are already making developers faster and more efficient than ever, but they're also creating new security and software quality challenges. As the speed of development accelerates, security teams are struggling to keep up. Meanwhile, bad actors are leveraging the same AI tools to execute more sophisticated supply chain attacks at breakneck speed. In 2025, there will be a sharp divide between organizations prepared to defend their systems in this new era of ai-powered cyber threats and those that aren't - organizations that focus on security automation will come out on top while those who do not will bear the brunt of a new wave of attacks.

• The New Era of Software Developers as Strategic Innovator

The role of a developer has evolved dramatically over the years, and that evolution isn't slowing down. In 2025, developers will focus less on custom coding and more on selecting, integrating and optimizing the best components to build great software. As AI handles repetitive tasks and suggests smarter ways to solve problems, developers will transform into strategic innovators driving the business forward. The real differentiator will be their ability to deeply understand and solve market problems - not just build software faster and cheaper. The gap between the "10x" developer and everyone else will widen and increasingly be defined by those who adopt the best AI-driven toolset and those who do not. 

Ilkka Turunen, Field Chief Technology Officer at Sonatype

• The Continued Rise of AI-Assisted Malware

AI-assisted malware has surged. Bad actors publish malicious software en masse to exploit vulnerabilities faster than traditional defenses can adapt. Expect even more sophisticated attacks on the software supply chain in 2025, as cybercriminals refine AI to pinpoint targets and deploy malware with alarming precision. While developers are using AI to speed up coding, bad actors are using it to make malware more evasive and resilient. We all saw what happened with CrowdStrike, and that was just an accident. Imagine the devastation of a purposely malicious event of that magnitude, tailored to create the biggest possible impact. It might not happen in 2025, and we hope it doesn't, but someone out there is looking to replicate that disruption. Organisations must fortify their security postures now, as future breaches could reach them indirectly, even if they're not the primary target.

• The Compliance Push in Software Supply Chains

For the first time since GDPR, compliance will overtake innovation as the key driver of technological change in enterprises. The EU is bringing a whole host of developments, from the CRA, which mandates strict cybersecurity practices throughout a product's lifecycle, to the PLD, which holds software providers liable for product defects. Expect to see these steps mirrored in other regions to a greater or lesser extent. Savvy businesses will be on the front foot, proactively taking steps to meet these compliance challenges. Those that don't will have to spend even more resources to catch up. Whichever approach is taken, compliance will again be a chief concern - not just for specialists and product managers, but for the board as well.

Ax Sharma, Cybersecurity Researcher at Sonatype

• Unmaintained Open Source Projects Will Have Major Consequences

Unmaintained open source libraries and archived repositories have been a persistent risk for years, but in 2025, organizations will be forced to take action. As organizations take greater inventory of the components within their software via SBOMs, they will be forced to reckon with the threat posed by legacy components, which often do not receive regular security updates.

• Attackers Will Double Down on Open Source Crypto-Stealers

New protocols like the Tea protocol, with its blockchain rewards for developers, are already driving some users to abuse open source registries to test self-reward mechanisms but the trend of flooding open source registries with crypto-stealers and bogus packages will likely intensify in 2025. This mass-publishing activity threatens to throttle registries and disrupt legitimate usage, creating potential DoS risks for developers worldwide.

As we head into 2025, organizations must embrace automation and AI-driven defenses to stay ahead in the cybersecurity arms race. Adaptability, resilience and proactive security measures will be the key to navigating the evolving AI and open source threats. Those who can innovate while maintaining strong security practices will be best positioned to confront the challenges ahead.

##