Summary: The surge in open source software (OSS) consumption has led to a dramatic increase in open source malware, with over 704,102 malicious packages identified since 2019. Sonatype’s report highlights the urgent need for improved security practices among software manufacturers and consumers to mitigate risks associated with vulnerabilities in open source projects.
Threat Actor: Open Source Malware | Open Source Malware
Victim: Software Supply Chain | Software Supply Chain
Key Point :
- 156% increase in open source malware, with 512,847 malicious packages identified since November 2023.
- 80% of application dependencies remain un-upgraded for over a year, despite 99% of packages having updated versions available.
- Regulatory measures, such as the EU’s NIS2 directive, are emerging to promote better security practices and software bill of materials (SBOM) adoption.
- There has been a 463% growth in CVEs from 2013 to 2023, highlighting the increasing vulnerabilities in software.
- Sonatype emphasizes the need for proactive security measures to ensure a secure open source ecosystem moving forward.
As open source software (OSS) consumption soars, there has been a 156% surge in open source malware, according to new findings by Sonatype.
More than 704,102 malicious packages have been identified since 2019, and 512,847 of these have been discovered since November 2023, the firm’s 10th Annual State of the Software Supply Chain report found.
This year has been record-breaking year for open source consumption, according to Sonatype, reaching an estimated 6.6 trillion downloads.
JavaScript (npm) accounted for a staggering 4.5 trillion requests in 2024, representing 70% year-over-year growth in requests.
Python (PyPI), driven by AI and cloud adoption, is estimated to reach 530 billion package requests by the end of 2024, up 87% year-over-year, according to Sonatype’s findings.
Npm is a package manager for the JavaScript programming language, and PyPI a package manager for Python.
The company said that organizations continue to struggle with efficient risk mitigation and while Sonatype’s research focus is on the rise of contaminated open source projects the report noted that all open source or commercial software will eventually have bugs that evolve into vulnerabilities.
Despite more than 99% of packages having updated versions available, 80% of application dependencies remain un-upgraded for over a year.
In addition, 95% of the time, when vulnerable components are consumed, a fixed version already exists.
The risk is persistent and 13% of Log4j downloads remain vulnerable, three years after Log4shell exposure.
It was also noted that publishers struggle to keep up with CVE remediation with several vulnerabilities taking over 500 days to fix.
Between 2013 and 2023, there was a 463% growth in CVEs.
In the report, Sonatype calls on software manufacturers, consumers, and regulators to adopt robust security practices and said that the balance between innovation and security is more critical than ever.
“Over the last decade, we’ve seen software supply chain attacks increase in sophistication and frequency, particularly with the rise of open source malware, while publishers and consumers have remained relatively stagnant when it comes to security,” said Brian Fox, CTO and Co-Founder at Sonatype. “In order to ensure a vibrant and secure open source ecosystem for the decade ahead, we must build a foundation of proactive security with vigilance against open source malware, decreased consumer complacency, and comprehensive dependency management.”
Despite the challenges, the company noted that regulators are starting to catch up with the issues.
New policies are emerging, including the EU’s updated Network and Information Systems Directive (NIS2) which will be live on October 17, 2024, as well as forthcoming regulations surfacing in India and Australia. These policies are encouraging software bill of materials (SBOM) adoption, with more than 60,000 SBOMs published in the last year.
Sonatype’s report was backed by data from over seven million open source projects.
Source: https://www.infosecurity-magazine.com/news/156-increase-in-oss-malicious