Widespread end-of-life package exposure across major open-source registries
Target Trend
Summary
Hide ▲
Show ▼
End-of-life open source packages remain widespread across major registries, leaving enterprise dependency graphs exposed to versions with no patch path and limited CVE coverage. A large-scale lifecycle analysis found 5.4 million of 12 million package versions were EOL, showing that scanner silence can mask real risk. The gap is especially acute in transitive dependencies, where hidden EOL components can sit inside otherwise supported stacks.
Related Happenings
Famous Chollima PromptMink supply-chain campaign targeting Web3 developers
Campaign
First: 29.04.2026 17:43
Last: 29.04.2026 17:43
Sources 1
About this happening:
The **PromptMink** campaign is widening **Famous Chollima**'s supply-chain intrusion playbook by pushing **tainted npm packages** into developer environments and stealing secrets....
Famous Chollima PromptMink supply-chain campaign targeting Web3 developers
CampaignAbout this happening: The **PromptMink** campaign is widening **Famous Chollima**'s supply-chain intrusion playbook by pushing **tainted npm packages** into developer environments and stealing secrets....
Shifty Corsair evolves open-source supply-chain tradecraft with fake firms, layered packages, and AI-assisted deception
Threat Actor Meta
First: 29.04.2026 17:43
Last: 29.04.2026 17:43
Sources 1
About this happening:
**Shifty Corsair** has expanded its operating model into a more convincing developer-lure ecosystem, increasing the risk of open-source supply-chain compromise against **Web3** ta...
Shifty Corsair evolves open-source supply-chain tradecraft with fake firms, layered packages, and AI-assisted deception
Threat Actor MetaAbout this happening: **Shifty Corsair** has expanded its operating model into a more convincing developer-lure ecosystem, increasing the risk of open-source supply-chain compromise against **Web3** ta...
OpenAI Codex Security rolls out as a research-preview vulnerability-finding agent
Security Tool/Service
First: 07.03.2026 18:28
Last: 07.03.2026 18:28
Sources 1
About this happening:
**OpenAI** began rolling out **Codex Security** in **research preview**, adding an AI security agent that can **find, validate, and propose fixes** for vulnerabilities. The rollou...
OpenAI Codex Security rolls out as a research-preview vulnerability-finding agent
Security Tool/ServiceAbout this happening: **OpenAI** began rolling out **Codex Security** in **research preview**, adding an AI security agent that can **find, validate, and propose fixes** for vulnerabilities. The rollou...
North Korea-linked Lazarus Group's ongoing open-source poisoning model
Threat Actor Meta
First: 12.02.2026 18:55
Last: 12.02.2026 18:55
Sources 1
About this happening:
**North Korea-linked threat actors** are continuing to **poison open-source ecosystems** with malicious packages, signaling an ongoing supply-chain operating model aimed at **data...
North Korea-linked Lazarus Group's ongoing open-source poisoning model
Threat Actor MetaAbout this happening: **North Korea-linked threat actors** are continuing to **poison open-source ecosystems** with malicious packages, signaling an ongoing supply-chain operating model aimed at **data...
Ghostscript OpenSC and CGIF memory corruption flaws memory corruption flaw
Vulnerability
First: 06.02.2026 07:49
Last: 06.02.2026 07:49
Sources 1
About this happening:
**Ghostscript**, **OpenSC**, and **CGIF** were among the open-source libraries affected by a newly disclosed batch of **more than 500 previously unknown high-severity flaws**. The...
Ghostscript OpenSC and CGIF memory corruption flaws memory corruption flaw
VulnerabilityAbout this happening: **Ghostscript**, **OpenSC**, and **CGIF** were among the open-source libraries affected by a newly disclosed batch of **more than 500 previously unknown high-severity flaws**. The...
Timeline
-
05.05.2026 17:00 2 articles · 22d ago
May 2026 report on end-of-life package exposure
Technical Analysis UpdateA May 2026 report frames end-of-life open source packages as a widespread blind spot across npm, PyPI, Maven, NuGet, RubyGems, Go, Packagist, and crates.io: lifecycle analysis across 12 million package versions found 5.4 million EOL versions, while Sonatype's research cited 167,286 false negatives in 2025 and 5–15% EOL exposure in enterprise dependency graphs. The Spring Security example shows why scanner coverage fails: CVE-2026-22732 lists Spring Security 5.7.x through 7.0.x, but Spring Security 6.2.x reached EOL in December 2025, ships with Spring Boot 3.2, and HeroDevs says it is still affected without an upstream fix. April 2026 AI vulnerability research from Anthropic could widen the gap for unsupported code because new findings in EOL versions will not be officially investigated or patched.
Show sources
- The EOL Blind Spot in Your CVE Feed: What SCA Tools Don't Check. — www.bleepingcomputer.com — 05.05.2026 17:00
- The EOL Blind Spot in Your CVE Feed: What SCA Tools Don't Check. — www.bleepingcomputer.com — 05.05.2026 17:00