Three months after the Apache Foundation disclosed the Lo4j vulnerability and issued a fix for it, over 40% of downloads of the logging tool continue to be known vulnerable versions. Maven Central’s Sonatype’s dashboard shows that 41% of Log4j packages downloaded between Feb. 4 and March 10, 2022, are versions prior to Log4j 2.15.0, the patched version. Likely reasons for the continued downloads of vulnerable versions include automated build systems, under-maintained projects and testing by researchers and adversaries.
Supply Chain Attacks Surge in March 2026
IntroductionThere was a significant increase in software supply chain attacks in March 2026. There were five major software supply-chain attacks that occurred including the Axios
