Open source projects under attack, with enterprises as the ultimate targets

Sonatype has found a massive year-over-year increase in cyberattacks aimed at open source projects.

According to early data from Sonatype’s 8th annual State of the Software Supply Chain Report, an average 700% jump in cyberattacks against open source projects/repositories has been recorded over the last three years.

To capitalize on weaknesses in upstream open source ecosystems, cybercriminals continue to target organizations through open source repositories. They contribute malware-infected software components that are distributed downstream and ingested by applications that businesses and consumers rely on. Sonatype’s repository Firewall has identified more than 55,000 newly published packages as malicious in open source repositories over the past year, and nearly 95,000 over the past three years.

“Almost every modern business relies on open source. Clearly, the use of open source repositories as an entry point for malicious attacks shows no signs of slowing down–making the early detection of both known and unknown security vulnerabilities more important than ever,” said Brian Fox, CTO of Sonatype. “Stopping malicious components before they come in the door is a fundamental element of risk prevention and should be a part of every conversation around protecting software supply chains.”

The scale of open source malware attacks is so great that it’d be humanly impossible to detect and prevent every single attack in real time. And even if a malicious component isn’t used in the final product, it doesn’t matter–allowing it to be downloaded on the developer’s machine is already too late.

“The volume, frequency, severity, and sophistication of malicious cyberattacks continue to increase. Organizations can’t–and shouldn’t–avoid the use of open source just to protect themselves,” Fox added.