A recent report has documented a significant rise in malicious attacks targeting open-source software ecosystems. According to Sonatype’s 8th annual “State of the Software Supply Chain” report, there has been a 742% average annual increase in software supply chain attacks over the past three years. This surge highlights growing security concerns tied to the widespread use of open-source components in enterprise applications.

The extensive analysis, which examined over 100,000 open-source projects and 1.2 trillion open-source downloads, found that the problem is widespread. The report reveals that approximately one in eight open-source downloads contains a known security vulnerability. This issue is amplified by the fact that 95% of enterprise software applications incorporate open-source components, often without rigorous security vetting.

The Nature of the Threat

Malicious actors are actively exploiting the trust within the open-source community by contributing code infected with malware directly into open-source projects. These attacks target upstream dependencies, which are then unknowingly integrated into a vast number of downstream applications. The report documented a 633% year-over-year increase in malicious attacks specifically targeting upstream open-source projects. These methods include dependency confusion attacks, where attackers upload malicious packages with names that are similar to legitimate internal packages used by companies.

A Call for Enhanced Security Measures

The findings underscore a critical vulnerability in modern software development. Brian Fox, Sonatype’s Chief Technology Officer, stated that the inherent trust placed in open source has become a new and profitable target for attackers. The report indicates a growing need for organizations to adopt more sophisticated security practices. The use of a Software Bill of Materials (SBOM) is presented as a key tool for organizations to track all the components within their software, helping them manage and mitigate known vulnerabilities more effectively. This allows for better visibility and control over the software supply chain, ensuring only vetted and approved open-source components are utilized.

Source: https://www.thehindubusinessline.com/info-tech/open-source-malware-surges-raising-cyber-security-concerns/article70175811.ece