Software supply chain attacks are getting easier

ReversingLabs identified close to 11,200 unique malicious packages across three major open-source software platforms in 2023: npm, PyPI, and RubyGems.

These findings mark an astounding 1,300% increase in malicious packages from 2020 and an increase of 28% over 2022 when a little more than 8,700 malicious packages were detected.

“Over the years, we’ve closely monitored the increase of software supply chain exposures and attacks. This new report reflects the proliferation of malware across open-source and commercial platforms,” said Mario Vuksan, CEO of ReversingLabs. “Businesses relying only on legacy application security will continue to be victimized. In fact, we expect to see continued material risk to the software development pipeline, with that risk and escalation processes becoming a critical focus for regulators.”

Significant decline in mlicious npm packages

A 400% annual increase in threats on the PyPI platform, with more than 7,000 instances of malicious PyPI packages discovered in the first three quarters of 2023. The vast majority of these were classified as “infostealers.” More than 40,000 instances of leaked or exposed development secrets across the major package managers (npm, PyPI and RubyGems).

Instances of malicious npm packages in the first three quarters of 2023 decreased by 43% compared with malicious npm packages identified in all of 2022.

The last 12 months have also seen software supply chain attacks shed complexity and boost accessibility. Data compiled by ReversingLabs shows that the barrier to entry for supply chain attacks has lowered steadily in the last year, and everything indicates that it will continue to do so in 2024.

No longer just the domain of nation-state actors, software supply chain attacks are increasingly being perpetrated by low-skill cybercriminals, evidenced by the use of open source packages to support commodity phishing campaigns that deliver turnkey, automated attacks used to facilitate the theft of victim data. Threat actors have recognized how to abuse weak links in the software supply chain to support both targeted and indiscriminate campaigns.

Exposed secrets remain a top challenge

The exposure of digital authentication credentials (‘secrets’) such as login credentials, API tokens, and encryption keys, is a significant target for malicious actors and was a major challenge in 2023. Through regular scans of platforms including npm, PyPI, RubyGems, and NuGet, ReversingLabs found that secret leaks continue to plague popular applications and hosting platforms such as Slack, AWS, Google, Microsoft’s GitHub repository, and Azure cloud.

Npm accounted for 77%, or 31,000, of the more than 40,000 secrets detected across these four open-source platforms. Of the secrets detected on npm, 56% were used to access Google services, compared to 9% attributed to Amazon’s AWS cloud services.

The research identified a similar pattern on PyPI, which accounted for 18% of the leaked secrets observed in 2023. In these instances, tokens used to access Google services accounted for just over 24% of the secrets detected. Secrets related to AWS accounted for around 14% of the total discovered on PyPI.

Anticipated surge in software supply chain attacks

The shifting terrain of software supply chain risk that characterized 2023 will continue to alter the cybersecurity landscape in 2024, ReversingLabs research indicates. Threats and attacks targeting open source and commercial, third-party code will continue to grow, even as the methods and preferences of malicious supply chain actors evolve.

Both cybercriminal and nation-state hackers can be expected to gravitate to platforms and techniques that are the most likely to succeed. And in the wake of high-profile attacks, software producers and end user organizations should expect to see a continued high bar of disclosure requirements as well as more pointed guidance from the federal government, including the use of SBOMs when securing the software supply chain.

“Lacking sufficient visibility, software producers and their customers are failing to spot signs of code tampering and abuse within development pipelines or threats hiding in compiled software artifacts. In 2024, we expect software supply chain attacks to escalate if organizations don’t address the threat,” added Vuksan.

“Businesses must shift from blind trust of the integrity of software to proven tools and processes that can verify software and ensure it is free of material risks. This includes the ability to scan raw code and compiled binaries in any software they build or buy for behaviors and unexplained changes that may indicate instances of malware and tampering.”