A report by the Ponemon Institute found that 59% of organizations experienced a software supply chain attack, with 54% of these respondents having experienced one in the past year. This survey was conducted among 1,278 IT and IT security practitioners, with managers, directors and senior executives making up nearly half (49%) of the survey demographic.

28% of respondents state that a previously detected, unpatched open-source vulnerability was the cause of the software supply chain attack, while 23% report a zero-day vulnerability as the cause. Out of these organizations, 50% took more than a month to respond to the incident. 

Responses from those surveyed suggests a lack of commitment (from organizations and/or executives) to mitigate the risk of malicious code/malware. Only 45% report that their organizations have a system in place for defending against malicious open-source packages, and only 39% believe that their senior leadership is highly dedicated to mitigating these risks in software supply chains.