Ninety-six percent of open source Java downloads with known cybersecurity vulnerabilities could have been avoided because a better version was available, but was not used, according to a new report.

The eighth annual State of the Software Supply Chain Report from Sonatype found a massive surge in open source supply, demand and malicious attacks, in addition to legacy open source downloads leading to vulnerability exploitation.

According to the report, this means 1.2 billion known-vulnerable dependencies that could be avoided are being downloaded every month, pointing to non-optimal user behaviors as the root of open source risk. This is in contrast to public discussion, which often associates security risk with open source maintainers. The report found open source maintainers to be, on average, efficient at delivering fixes to issues.

With more open source being consumed than ever before, attacks targeting the software supply chain have increased as well, both in frequency and complexity. This year’s research revealed a 633% year over year increase in malicious attacks aimed at open source in public repositories — equating to a 742% average yearly increase in software supply chain attacks since 2019.

For more report findings, click here.