Fulton, Md., July 14, 2026 (GLOBE NEWSWIRE) -- Sonatype®, the company helping enterprises build with confidence in the AI era, today marked the 15-year anniversary of Sonatype Research Labs, the team behind more than a decade of software supply chain intelligence that helps developers and security teams separate meaningful risk from advisory noise. The anniversary arrives as software supply chain attacks are undergoing their biggest transformation in decades.
Founded in 2011, Sonatype Research Labs has uncovered major malware campaigns, tracked the evolution of software supply chain attacks, and delivered the research security teams rely on to make policy and remediation decisions with confidence. That historical context and experience forms the foundation of Attacking the Assembly Line, the team's latest research report, which examines how software supply chain attacks look in the AI era.
"The AI era forced us to rethink where software supply chain research was headed. Vulnerabilities remain important, but we realized the next frontier is understanding intentionally malicious software and the attackers behind it," said Adam Cazzolla, Head of Research Labs at Sonatype. "That's exactly what Attacking the Assembly Line explores: not just how attacks are changing, but why they're changing."
The biggest AI-era shift is a change in attacker strategy. Sonatype Research Labs found attackers are increasingly investing in precision campaigns designed to influence software decisions before code is ever written. According Attacking the Assembly Line:
- Targeted malicious package campaigns increased 75× in just two years, showing attackers are investing more effort in reaching specific developers and organizations.
- 62% of AI-era malicious packages analyzed executed during installation, allowing attackers to steal credentials and compromise developer environments before code ever reaches production.
- More than one in four malicious packages now use advanced stealth techniques, making malicious software harder to understand, investigate, and block.
"Fifteen years ago, people questioned whether open source vulnerabilities even mattered. Many organizations didn't realize how much open source they were actually shipping. Software supply chain attacks and software composition analysis were not a part of the conversation,” said Brian Fox, Co-founder and CTO of Sonatype and Steward of Maven Central. “Today, every organization depends on software they didn't write, and attackers know it. The challenge is no longer discovering that software supply chains matter. It's giving developers intelligence they can trust as AI changes how software gets built."
To read the full analysis from Sonatype Research Labs, visit https://www.sonatype.com/resources/research/attacking-the-assembly-line.
About Sonatype
Sonatype is the company that accelerates agentic software development with confidence. Trusted by thousands of enterprises and millions of developers, Sonatype helps organizations build with confidence by governing the open source, AI-generated, and third-party components that power modern software. As the steward of Maven Central and the company behind Nexus Repository, Sonatype provides unmatched visibility into how software is built, consumed, and secured — helping teams move faster, reduce risk, and ship software with confidence at AI scale. To learn more about Sonatype, please visit www.sonatype.com.

Sonatype press@sonatype.com