A senior U.S. military commander has warned of coordinated efforts by foreign adversaries to compromise America’s digital infrastructure through open-source software vulnerabilities, with China and Russia actively inserting malicious code into publicly available software.
The targeted open-source software is crucial to operations within multiple vital sectors of American infrastructure. Gen. Paul M. Nakasone, Commander of U.S. Cyber Command, emphasized that these compromised programs are “widely used by the U.S. military, government and private sector,” creating systemic vulnerabilities. The inherent transparency of open-source software, being publicly accessible and modifiable by anyone, makes it particularly susceptible to nation-state infiltration despite its widespread adoption in essential systems, including power grids and telecommunications networks.
“We’re seeing it in a number of different ways,” Nakasone stated during the Senate Armed Services Committee hearing. “We’re seeing our adversaries, in particular China and Russia, [engaging] in the insertion of malicious code in open-source software.” The general stressed the sophisticated nature of these covert operations, which aim to establish persistent access points within American digital ecosystems.
This revelation builds upon heightened concerns about software supply chain security following the devastating 2020 SolarWinds cyberattack. That incident, attributed to Russian state-sponsored hackers, compromised networks across multiple U.S. government agencies and private corporations by exploiting trusted software update mechanisms. The breach exposed fundamental weaknesses in how organizations vet third-party software components.
The U.S. government has intensified its focus on securing the software supply chain in recent years. These concerns culminated in President Biden’s May 2025 executive order mandating comprehensive cybersecurity improvements, with specific provisions addressing supply chain vulnerabilities. The order established enhanced security standards for software sold to the federal government and created stricter reporting requirements for cyber incidents.
Nakasone described the current threat as being taken “extraordinarily seriously” at the highest levels of government. Cyber Command is collaborating extensively with private sector partners to identify and neutralize the implanted malicious code. “We’re working very closely with our partners in the private sector to be able to identify this,” he confirmed, highlighting the essential role of industry collaboration in national cyber defense.
The general specifically called for reinforced protective measures around America’s software supply chain, labeling current safeguards insufficient against sophisticated nation-state actors. He noted that adversaries exploit the interconnected nature of modern software development, where open-source components are routinely integrated into commercial products and government systems without thorough security vetting.
Nakasone framed the challenge as global in scale, emphasizing that unilateral action would be insufficient. “This is a global challenge, and we need to work together to address it,” he asserted, advocating for strengthened alliances to collectively counter digital threats. The involvement of both China and Russia indicates a strategic convergence among cyber adversaries that demands coordinated international cybersecurity policies and intelligence sharing.
Security analysts note that open-source compromises represent a force-multiplier for hostile nations, enabling them to simultaneously target thousands of organizations through single-point vulnerabilities. Unlike traditional cyberattacks that require individual network penetration, poisoned software components can automatically distribute malware to all users during routine updates.
The warning underscores the evolving nature of cyber warfare, where attacks increasingly occur long before detection through compromised development tools and software dependencies. Cybersecurity experts observe that such tactics reflect a strategic shift toward “pre-positioning” within software ecosystems to enable future disruptive operations.
Federal agencies are reportedly developing new frameworks for validating software integrity, including enhanced code-signing requirements and software bill of materials (SBOM) implementation. The administration is also considering incentives for open-source maintainers to adopt improved security practices, acknowledging that many critical projects operate with limited resources despite their widespread deployment in critical infrastructure.
As threats to America’s digital foundations continue evolving, the testimony highlights the urgent need for comprehensive strategies that bridge governmental, private sector, and international efforts to secure the increasingly complex software supply chain landscape against sophisticated nation-state threats.
