Sonatype discovered 88,000 malicious open source software packages this year, up 633%. That’s according to the firm’s latest software supply chain report.
These packages are designed to fool developers into installing them via typos or “brand-jacking”. Once downloaded, a package often executes its payload immediately via the build functions of developer tools such as npm, cargo or pip3, insinuating themselves into downstream software where they can be exploited.
“[The malicious packages] rarely even pretend to be working code; they exploit the automation that exists in the build or in the dependency managers used by developers, who inadvertently install the malicious code in nanoseconds. [Yet] when developers encounter these failures in their builds, the research has found that their answer often is fixing a typo and trying again,” said the Sonatype report, which was released today.
While the number of detected malicious packages represents a tiny proportion of all available open-source software, the speed of their growth has been dramatic. According to Sonatype it detected close to zero malicious packages in 2019, rising to 1,200 in 2020, 12,000 in 2021, and now 88,000 in 2022 – suggesting awareness has grown rapidly among criminal groups of this potential attack vector, as reports demonstrate its effectiveness.
(A well-known demonstration of its efficacy was a campaign by security researcher Alex Birsan in 2021: He breached over 35 major companies including Apple, Google and Microsoft via this kind of “substitution attack” which exploits a design flaw in the way native installation tools and DevOps workflows pull dependencies into a software supply chain; as well as the way many developers freely consume snippets of code for their builds.)
Malicious open source packages on the rise…
The growth in malicious open-source packages comes as the use of open-source software continues to grow dramatically, with Sonatype estimating in its report that the four largest OSS build tools – Maven, npm, PyPi and NuGet – will see a huge 3.1 trillion downloads in 2022 alone, up 33% year-on-year.
Criminals are also targeting open-source libraries through more targeted means, with Sonatype highlighting the malicious capture of coa and rc last year – both popular projects with millions of weekly downloads, which hadn’t been updated in years. Its researchers noted that dependency management challenges for developers are huge, not least because a large percentage (85%) of projects on Maven Central are “inactive” (which it defined as less than 500 downloads per month) and that the average Java application contains 148 dependencies.
“The average Java project releases updates 10 times a year,” Sonatype said today: “So, along with choosing and managing 150 initial dependencies, developers are being asked to:
- Track an average of 1,500 dependency changes per year per application
- Possess significant security and legal expertise to choose the safest versions
- Maintain a working knowledge of software quality at all times
- Understand the nuances of ecosystems being used
- Sift through thousands of projects to pick the best ones.”
“The supply of open source continues to grow at double-digit rates and shows no signs of stopping anytime soon. Similarly, the volume of open source downloads is ever-accelerating, creating a massive increase in consumption. This equates to a perfect storm of potential threats that expands in scope, complexity, and impact,” said the report.
Governments and enterprises have become increasingly aware of the risks posed by the vast dependency of much modern IT infrastructure on poorly-audited open-source projects. Earlier this year the White House and top CISOs put together an action plan to tackle the problem – but as can be seen from Sonatype’s figures, the scale is huge.
Unfortunately, while awareness of the need for stronger software supply chain security is growing, Sonatype’s findings suggest many organisations remain complacent about the risks. 68% of organisations surveyed said they felt confident their applications were not using vulnerable libraries – but in a random sample of enterprise software, 68% contained known vulnerabilities.
“There is an ongoing bias towards seeing things in a better light, in which managers report higher stages of maturity compared to what is reported by other roles. Survey-wide, this discrepancy is statistically significant when comparing IT managers and those working in information security roles,” said the report.
According to Sonatype, compared to infosec workers, IT managers are 1.8 times more likely to claim to know the software bill of materials for every application, 2.4 times as likely to claim they address remediation as part of regular dev work – and 3.5 times as likely to claim they mitigate vulnerabilities less than a day after becoming aware of them.
“Immature organizations expect their developers to stay on top of license compliance concerns, multiple project releases, dependency changes, and open source ecosystem knowledge along with their regular job responsibilities. This is in addition to external pressures like speed,” said Sonatype CTO and co-founder Brian Fox, in a press release.
“It comes as no surprise that job satisfaction is heavily linked to the software supply chain practices maturity. This sobering reality demonstrates the immediate need for organizations to prioritize software supply management so that they can better deal with security risk, increase developer efficiency, and enable faster innovation.”
With growing awareness comes an increasingly significant push for action. The Sonatype report details various national initiatives around the world, from the US’s push to improve software supply chain security, with increasingly voluminous guidance and requirements – to the UK’s plans for legislation to improve cyber-resilience, which specifically highlighted supply chain risks (although it’s anyone’s guess when that legislation will happen now).
The company also said there was plenty of scope for organisations to tackle supply-chain issues: “Our analysis of safe version adoption [of Log4j] among enterprise consumers has been more encouraging thanks to available automation and tooling.”
According to the report, 95% of vulnerable downloads had a fixed version available – meaning almost all supply chain issues could be avoided. And of the 10 million releases in Maven, only 35% had vulnerable issues – and of those, only 4.2% had no available fix.
“If organizations have tooling, policy, and automation in place that maintains their place in the proactive group, their reaction [to vulnerabilities] should be business as usual,” the report added.
Sonatype also outlined its proposals for a metric to measure the vulnerability of projects, using “machine-learning” analysis of various aspects of software projects. The firm said it was making the metric and its development available to all.
“We are hopeful that this machine learning-based approach to rating projects will provide better predictive value than existing quality metrics, and are soliciting feedback from the community,” said the report.
“OSS Index and Maven Central now include a Sonatype Safety Rating for 31,515 of the most widely used projects that contain the required Security Scorecard data. Over time, we intend to expand the set of projects that we rate and enhance the rating algorithm itself.”