Open source security is key as cyber attacks increase 700x

Share
A report has highlighted an increase in cyber attacks on open source supply chain ecosystems, with incidents increasing 700% over the past three years.

Cyber attacks on open source ecosystems have increased seven times over across the last three years, according to data from an annual report.

According to early data from DevSecOps automation specialist Sonatype's 8th annual State of the Software Supply Chain Report, which will be released in full in October, an average 700% jump in repository attacks has been recorded over the last three years.

To capitalise on weaknesses in upstream open source ecosystems, cybercriminals continue to target organisations through open source repositories. They contribute malware-infected software components that are distributed downstream and ingested by applications that businesses and consumers rely on. Sonatype says its repository Firewall has identified more than 55,000 newly published packages as malicious in open source repositories over the past year, and nearly 95,000 over the past three years.

Open source cyber attacks show no sign of slowing down

“Almost every modern business relies on open source,” said Brian Fox, co-founder and CTO of Sonatype. “Clearly, the use of open source repositories as an entry point for malicious attacks shows no signs of slowing down–making the early detection of both known and unknown security vulnerabilities more important than ever. 

“Stopping malicious components before they come in the door is a fundamental element of risk prevention and should be a part of every conversation around protecting software supply chains.”

In 2021, 64% of organisations experienced software supply chain attacks, and approximately 70% of them lacked the right policies for using open source.

Earlier this year researchers from Sonatype identified hundreds of counterfeit packages in npm and PyPI repositories that were used to execute Remote Access Trojans (RATs). And a group of more than 200 malicious npm packages was found targeting Microsoft Azure developers to steal their Personally Identifiable Information (PII).

Digital supply chain attacks provide high return on investment for cyber attackers

According to Gartner, cybercriminals have discovered that attacks on the digital supply chain can provide a high return on investment. As vulnerabilities such as Log4j spread through the supply chain, more threats are expected to emerge. Gartner predicts that by 2025, 45% of organisations worldwide will have experienced attacks on their software supply chains, a three-fold increase from 2021.

“Organisations worldwide are facing sophisticated ransomware, attacks on the digital supply chain and deeply embedded vulnerabilities,” said Peter Firstbrook, research vice president at Gartner. “The pandemic accelerated hybrid work and the shift to the cloud, challenging CISOs to secure an increasingly distributed enterprise – all while dealing with a shortage of skilled security staff.”

“The volume, frequency, severity, and sophistication of malicious cyberattacks continue to increase. Organisations can’t–and shouldn’t–avoid the use of open source just to protect themselves,” Fox added. “But they can use preventative tools–such as the Sonatype Firewall–to keep developers on track and software supply chains secure.”

Share

Featured Articles

SAP: AI & Data Key to Closing COP29 Climate Commitments Gap

SAP’s CSCO Sophia Mendelsohn on how AI and data collection could help companies meet climate targets set at COP29 conference in Azerbaijan

PwC and AWS Forge Path for Regulated AI Adoption

Professional services firm PwC and AWS collaborate on automated reasoning tools to reduce AI hallucination risk in regulated sectors

Nvidia Predictions: AI Infrastructure Set to Shift in 2025

Nvidia executives predict quantum computing breakthroughs, liquid-cooled data centres and autonomous agents will reshape enterprise computing landscape

Nvidia & AWS’s AI Breakthroughs at Re:Invent 2024

AI & Machine Learning

SAP and AWS Partner on AI-Powered Cloud ERP Platform GROW

Cloud Computing

SAVE THE DATE – Cyber LIVE London 2025

Cloud & Cybersecurity