An analysis published by ReversingLabs, a provider of tools for securing application development environments, suggests that commercial software used in software supply chains is just as vulnerable as open-source code.

Scans of more than two dozen widely used commercial-software binaries, including commercial operating systems, password managers, web browsers and virtual private network (VPN) software, found numerous risks, with many of the packages receiving a failing security grade due to the discovery of exposed secrets, actively exploited software vulnerabilities, evidence of possible code tampering and inadequate application hardening.

ReversingLabs also scanned 20 distinct versions of VPN clients from six prominent vendors. Seven of the 20 VPN packages contained one or more patch-mandated and/or exploited software vulnerabilities. Four of the 20 VPN packages scanned contained exposed developer secrets. Four of the 20 VPN packages scanned also contained exposed developer secrets.

In comparison, scans of 30 open source packages that account for more than 650 million total downloads across three leading open source package managers found an average of six critical-severity and 33 high-severity flaws per package. Out of 164 distinct code vulnerabilities discovered, another 43 involved “critical” severity, while 81 were rated high. Seven of the vulnerabilities are known to have been actively exploited by malware.

The report also notes that incidents of exposed development secrets via publicly accessible, open-source packages rose 12% in 2024, and that popular npm, PyPI, and RubyGems packages based on open-source modules contain old and outdated open-source and third-party software modules

Attacks against open source software are also becoming more difficult to detect. The report notes, for example, researchers discovered a malicious technique dubbed “nullifAI” in which malicious code was placed in Pickle serialization files, which evaded protections built into the Hugging Face for accessing open-source software used to build AI applications.

Saša Zdjelar, chief trust officer for ReversingLabs, said it’s becoming apparent that no matter how it was created, much of the software organizations are relying on is insecure. While there is much greater awareness of the potential threat open source software poses, many organizations are assuming that commercial software is more secure when, in fact, it may have many of the same issues, he added. Unfortunately, many of those commercial software components are not getting the same level of scrutiny that is now being applied to open source software, noted Zdjelar. As a result, many of the applications being used by organizations are, from a cybersecurity perspective, simply defective, said Zdjelar.

More organizations at the same time, however, are now conducting security reviews of the software they use and, based on the results, informing vendors they are now on a formal “Do Not Renew” list until known vulnerabilities are addressed, he added.

While a lot of progress has of late been made in terms of adopting best DevSecOps practices, there is clearly still much work to be done, especially when it comes to truly understanding the provenance of the code being used in applications. Hopefully, advances in artificial intelligence (AI) will soon make it easier to discover and remediate known vulnerabilities. The issue, of course, is that cybercriminals are using the same advances to find and exploit those vulnerabilities faster and more deeply than ever.