More than 500 thousand malicious packages were detected in open source projects during the year.
The number of malicious packages in the open-source ecosystem has increased significantly over the past year, as evidenced by a new report from Sonatype. Experts noted that the number of malicious components purposefully uploaded to open-source repositories increased by more than 150% compared to the previous year.
Open-source software, which is based on a transparent development process with the ability for anyone to contribute, is the basis of most modern digital technologies. The Sonatype report analyzed more than 7 million projects, among which more than 500 thousand were found with malicious components.
Problems with vulnerabilities in open-source packages and the difficulties that developers face in supporting them have become acute in recent years against the backdrop of a series of major cyberattacks and identified vulnerabilities. One example was a recent incident involving the XZ Utils data compression tool. Hackers have been trying to inject a vulnerability into this tool for several years so that it ends up on numerous Linux servers around the world.
According to experts, the problem lies not only in the hacker attacks themselves, but also in the approach of publishers and consumers of open-source solutions. In the rush to release new versions and features quickly, security is often overlooked. As a result, critical vulnerabilities remain unpatched for a long time. For example, it is known that even years after the problem was discovered in the Log4Shell component, about 13% of its downloads still contain vulnerable versions.
On average, critical vulnerabilities take up to 500 days to remediate, which is significantly longer than the previous 200 to 250 days. Less serious bugs require even more time to fix — in some cases, this process takes more than 800 days, although previously this time rarely exceeded 400 days.
This data shows that the software supply chain has reached a critical point where publishers' resources simply cannot keep up with the growing number of vulnerabilities. In addition, each programming ecosystem has its own characteristics, which complicates the provision of protection. For example, the Node.js package manager has seen a sharp increase in malicious packages related to spam and cryptocurrencies in recent years.
Source
The number of malicious packages in the open-source ecosystem has increased significantly over the past year, as evidenced by a new report from Sonatype. Experts noted that the number of malicious components purposefully uploaded to open-source repositories increased by more than 150% compared to the previous year.
Open-source software, which is based on a transparent development process with the ability for anyone to contribute, is the basis of most modern digital technologies. The Sonatype report analyzed more than 7 million projects, among which more than 500 thousand were found with malicious components.
Problems with vulnerabilities in open-source packages and the difficulties that developers face in supporting them have become acute in recent years against the backdrop of a series of major cyberattacks and identified vulnerabilities. One example was a recent incident involving the XZ Utils data compression tool. Hackers have been trying to inject a vulnerability into this tool for several years so that it ends up on numerous Linux servers around the world.
According to experts, the problem lies not only in the hacker attacks themselves, but also in the approach of publishers and consumers of open-source solutions. In the rush to release new versions and features quickly, security is often overlooked. As a result, critical vulnerabilities remain unpatched for a long time. For example, it is known that even years after the problem was discovered in the Log4Shell component, about 13% of its downloads still contain vulnerable versions.
On average, critical vulnerabilities take up to 500 days to remediate, which is significantly longer than the previous 200 to 250 days. Less serious bugs require even more time to fix — in some cases, this process takes more than 800 days, although previously this time rarely exceeded 400 days.
This data shows that the software supply chain has reached a critical point where publishers' resources simply cannot keep up with the growing number of vulnerabilities. In addition, each programming ecosystem has its own characteristics, which complicates the provision of protection. For example, the Node.js package manager has seen a sharp increase in malicious packages related to spam and cryptocurrencies in recent years.
Source
