A recent report from the Software Supply Chain Management company Sonatype has highlighted the alarming rate at which malware is infiltrating the open-source software development ecosystem. Since November 2023, Sonatype has identified over 500,000 new malicious packages in popular Java, JavaScript, Python, and .NET package registries.

These new malicious components account for more than 70 percent of the roughly 700,000 malware packages tracked by the company since 2019. Back then, the provider began including this statistic in its annual State of the Software Supply Chain Report.

According to Sonatype, each enterprise application on average contains at least 180 third-party components, making their management challenging.

The company found that over 80 percent of vulnerable application dependencies go unpatched for more than a year, even though secure alternatives are available for 95 percent of them. Even when updates are applied, in 3.6 percent of cases, vulnerable dependencies are updated to other insecure versions.

For instance, the case of Log4j, a Java logging library used in millions of applications, which had a critical security vulnerability named “Log4Shell” in December 2021. Despite the headlines this vulnerability made, almost three years later, 13 percent of Log4j downloads from the Maven Central Java Repository still contain vulnerable versions.

Managing open-source risks requires optimizing security policies and practices to keep up with the rapid development of new OSS libraries, as highlighted by Sonatype in its report. Companies struggle with having to slow down DevOps processes for manual vulnerability checks, frustrating development teams.

Malware targeting desktop computers can also serve different purposes when uploaded as malicious components to open-source package repositories, Sonatype notes. These malicious components vary in impact, with almost half categorized as “Potentially Unwanted Applications” (PUAs), mostly harmless in practice but with unknown functions.

Further breakdown reveals that 12 percent are labeled as “Security Holding Packages,” deemed malicious by ecosystem maintainers and replaced with a clean placeholder package to alert users. The remaining percentage poses serious threats that can jeopardize the supply chain, with phishing techniques used by 14 percent to distribute packages disguised as internal company files.

Approximately 14 percent of malicious packages aim to steal sensitive files and data from computers, while a subgroup of 3 percent targets personally identifiable information (PII). Another 3 percent install backdoors and trojans on computers. Other malicious actions include inserting cryptocurrency mining programs, damaging file systems, or compromising IDE tools used by developers.

Recent incidents involving fake packages include a developer uploading about 14,000 fake packages to NPM to benefit from a cryptocurrency reward program for contributions to open source. Attackers used Typosquatting to spread a Python package with a name similar to a popular library that deployed the Lumma Windows Stealer.

A significant concern raised by Sonatype is the growing average time taken to address security vulnerabilities, regardless of severity. The researchers found that the time to patch critical vulnerabilities has increased significantly, with some cases exceeding 500 days for resolution.

To mitigate these ongoing risks, focus on tools that assist in managing dependencies and detecting security flaws in real-time is crucial. Projects utilizing a Software Bill of Materials (SBOM) for OSS dependency management showed a significantly shorter timeframe for vulnerability resolution compared to those that did not.

With heightened adoption of SBOM standards and corresponding government regulations promoting their use, more open-source developers have begun implementing them. However, the release rate of new components outpaces the adoption of standards.

In conclusion, the landscape of open-source software development is evolving rapidly, presenting new challenges and risks that require a proactive and vigilant approach from enterprises to safeguard their supply chains and systems effectively.

Source link