So far in 2022, researchers at Sonotype have discovered over 88,000 malicious open source packages, a 742% increase per year since 2019. The packages were caught using AI behavioral analysis and automated policy enforcement and verified by the research team.
The results found in Sonatype’s 8th Annual State of the Software Supply Chain report were compiled from a study of the four major open source ecosystems, including Maven, NpM, PyPI and NuGet. Downloads in 2022 from these systems are estimated at 3.1 Trillion highlighting the growing risk to corporate systems from threat actors inserting malicious packages into repositories, as well as accidental vulns downloaded by development teams.
Supply chaos attacks are so hot right now. The large opensource projects have safeguards for malicious code submission or other supply chain attacks. The problem is with the smaller projects, as most end users have no idea they are using. For instance during Log4j in December 2021 it was written off as a non-event because nobody explicitly listed Log4j as a developer tool. That org found out the hard way Log4j was everywhere.
Apply that to not just vulnerabilities but malicious attackers targeting smaller projects without the security rigor of larger projects slipping in backdoored packages is almost Childs play. Compounding this problem, these surreptitious packages often get discovered by an eagle eyed admin or researcher in the wild. This is a very hard problem to solve.