Cyber attacks on open source ecosystems have increased seven times over across the last three years, according to data from an annual report.
According to early data from DevSecOps automation specialist Sonatype's 8th annual State of the Software Supply Chain Report, which will be released in full in October, an average 700% jump in repository attacks has been recorded over the last three years.
To capitalise on weaknesses in upstream open source ecosystems, cybercriminals continue to target organisations through open source repositories. They contribute malware-infected software components that are distributed downstream and ingested by applications that businesses and consumers rely on. Sonatype says its repository Firewall has identified more than 55,000 newly published packages as malicious in open source repositories over the past year, and nearly 95,000 over the past three years.
Open source cyber attacks show no sign of slowing down
“Almost every modern business relies on open source,” said Brian Fox, co-founder and CTO of Sonatype. “Clearly, the use of open source repositories as an entry point for malicious attacks shows no signs of slowing down–making the early detection of both known and unknown security vulnerabilities more important than ever.
“Stopping malicious components before they come in the door is a fundamental element of risk prevention and should be a part of every conversation around protecting software supply chains.”
In 2021, 64% of organisations experienced software supply chain attacks, and approximately 70% of them lacked the right policies for using open source.
Earlier this year researchers from Sonatype identified hundreds of counterfeit packages in npm and PyPI repositories that were used to execute Remote Access Trojans (RATs). And a group of more than 200 malicious npm packages was found targeting Microsoft Azure developers to steal their Personally Identifiable Information (PII).
Digital supply chain attacks provide high return on investment for cyber attackers
According to Gartner, cybercriminals have discovered that attacks on the digital supply chain can provide a high return on investment. As vulnerabilities such as Log4j spread through the supply chain, more threats are expected to emerge. Gartner predicts that by 2025, 45% of organisations worldwide will have experienced attacks on their software supply chains, a three-fold increase from 2021.
“Organisations worldwide are facing sophisticated ransomware, attacks on the digital supply chain and deeply embedded vulnerabilities,” said Peter Firstbrook, research vice president at Gartner. “The pandemic accelerated hybrid work and the shift to the cloud, challenging CISOs to secure an increasingly distributed enterprise – all while dealing with a shortage of skilled security staff.”
“The volume, frequency, severity, and sophistication of malicious cyberattacks continue to increase. Organisations can’t–and shouldn’t–avoid the use of open source just to protect themselves,” Fox added. “But they can use preventative tools–such as the Sonatype Firewall–to keep developers on track and software supply chains secure.”