Twenty-five years ago today, the world was introduced to one of the most infamous computer viruses in history: ILOVEYOU.
Disguised as a love letter in a simple email attachment, the worm spread like wildfire across inboxes on 4 May 2000, infecting an estimated 45 million systems within days. It caused billions in damages and forced global businesses, governments, and individuals to rethink how they handled email security.
ILOVEYOU marked a turning point in cybersecurity. Unlike earlier viruses that relied on floppy disks or infected executables, ILOVEYOU exploited the human element, such as curiosity, trust, and a desire for connection.
It showed how social engineering could be just as potent as technical exploits, a lesson that still is as true today as it was then.
A Dramatic Evolution
In the years since, malware has evolved dramatically. Bad actors now use sophisticated ransomware, fileless malware, supply chain attacks, and AI-generated phishing lures. They target everything from critical infrastructure to small businesses, with motivations ranging from financial gain to political disruption.
However, despite the evolution of tactics and tools, the core vulnerability remains the same: people.
The legacy of ILOVEYOU lives on not just in the history books, but in the foundations of modern cybersecurity. It prompted the adoption of better email filters, antivirus software, and user awareness training.
A quarter-century later, it remains a stark reminder of how a single click can trigger a global crisis.
Tim Mackey, head of software supply chain risk strategy at Black Duck says there are striking parallels between the assumptions exploited by ILOVEYOU in 2000 and those that still lurk within today’s software supply chains.
“The ILOVEYOU virus was a piece of malware whereby the attack vector was effectively an insecure email system. The attack preyed on the assumption that best practices at the time had been applied for securing an email system; a misplaced trust that email was a perfectly appropriate way to communicate in a business environment.
“This was before the concept of “phishing” was widely recognised. Yet, this early social engineering attack certainly helped set the stage for the more mature malware-based social engineering strategies we see today. The ILOVEYOU virus was an inflection point for email security, as it was a wake-up call that the previously accepted assumptions weren’t actually correct.”
Assumptions Under Attack
Fast forward to today, and Mackey says we are seeing similar assumptions being attacked throughout software supply chains and development practices. “If you don’t have active ownership of the elements within your software supply chain, you’re making assumptions that someone else is doing the work for you. In the 2025 OSSRA report, 64% of the open source components identified in our scans were transitive dependencies – open source libraries that other software components rely on to function.”
He says this tells us that just because a patch can be applied, it doesn’t necessarily mean that the patch itself resolves the issue; in fact, it may introduce other issues. “This is a concept we need to raise more awareness and education about in the industry, as illustrated by the XZ Utils backdoor, which came to light in February 2024, and the GitHub Action exploit from March 2025.”
While the scenario between the modern software supply chain differs from that of the ILOVEYOU email bug, Mackey says the lesson we can learn is the same. “Assumptions often lead to trouble.”
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.