Supply Chain Blind Spot: SCA Tools Miss 5.4M End‑of‑Life Open‑Source Packages
What Happened — New research shows that mainstream Software Composition Analysis (SCA) tools and CVE feeds systematically ignore end‑of‑life (EOL) open‑source package versions, leaving millions of components un‑alerted. HeroDevs’ “EOL DS” service identified over 5.4 M EOL package versions across npm, PyPI, Maven, NuGet and other registries that are invisible to typical scanners.
Why It Matters for TPRM —
- False‑negative vulnerability alerts give a false sense of security to third‑party risk owners.
- Undetected EOL components can be weaponised in supply‑chain attacks, exposing downstream customers.
- Risk assessments that rely solely on CVE feeds may dramatically under‑estimate exposure.
Who Is Affected — Enterprises across all sectors that consume open‑source libraries via SaaS, cloud, or on‑premise applications; SCA vendors; and any third‑party software providers that ship open‑source dependencies.
Recommended Actions —
- Augment existing SCA solutions with an EOL‑aware inventory (e.g., HeroDevs EOL DS or similar).
- Incorporate EOL status checks into SBOM validation pipelines.
- Re‑evaluate vendor risk scores for suppliers that rely heavily on open‑source stacks.
Technical Notes — The blind spot stems from the CVE ecosystem’s reliance on maintainers to define affected version ranges; once a project reaches EOL, maintainers stop publishing advisories, causing scanners to treat those versions as “not in scope.” No specific CVE is introduced, but the issue amplifies the impact of existing high‑severity vulnerabilities (e.g., CVE‑2026‑22732 in Spring Security). Source: BleepingComputer