- Over 512,000 malicious packages infiltrated open source ecosystems in 2023.
- 80% of vulnerable applications remain unpatched for more than a year.
- Only 61,000 out of 7 million new open source components had security-focused SBOM.
Malware is rapidly spreading throughout the open source ecosystem, putting the entire software supply chain at risk.
According to Sonatype, over 512,000 new malicious packages have been detected in popular repositories such as Java, JavaScript, Python, and .NET since November 2023.
This alarming surge represents a 156% increase in malicious components, indicating that open source software is rapidly becoming a preferred playground for attackers.
According to Sonatype's State of the Software Supply Chain report, “A rise in open source malware has infiltrated open source ecosystems at an alarming rate.”
The company emphasizes that these attacks primarily target developers and avoid traditional security measures.
This has resulted in a wave of supply chain attacks, leaving applications vulnerable despite existing security measures.
The ease with which hackers can conceal malware in seemingly innocent packages has made it difficult for developers and automated build environments to detect threats early on.
The increase in malicious components complicates the already chaotic world of open source development.
According to Sonatype's data, more than 80% of applications with vulnerable third-party components have gone unpatched for more than 12 months.
In 95% of cases, safer alternatives are available, but developers still fail to implement them.
Failure to patch or update vulnerable software continues to expose organizations to unnecessary risks.
The rapid pace of development is one of the primary causes of the slow response.
According to Sonatype's report, “the impossibility of slowing down DevOps processes to perform manual vulnerability reviews,” is a key factor in the persistence of vulnerable components.
Even well-known issues, such as the infamous Log4j vulnerability, can remain in development pipelines for years.
Nearly three years after the discovery of Log4Shell, 13% of Log4j downloads remain for vulnerable versions.
Each ecosystem poses unique challenges. NPM, for example, experienced a flood of malicious packages as a result of spam, while Python's rapid growth has resulted in a higher number of vulnerabilities per package.
Despite its massive user base, Java continues to struggle with outdated versions, complicating efforts to secure applications.
These vulnerabilities have severe consequences. Nearly 14% of the malware components detected are intended to steal sensitive data, such as environment variables and authentication tokens.
Sonatype also noted the prevalence of phishing attacks, in which hackers use dependency confusion to trick developers into downloading malicious packages masquerading as legitimate ones.
Some packages even include backdoors that allow attackers to remotely control compromised systems.
Organizations that want to fight back against these attacks face an uphill battle.
The increasing number of open source components, combined with longer timelines for fixing vulnerabilities, makes it difficult to remain secure.
In many cases, high-severity vulnerabilities now take more than 500 days to resolve, with even low-severity flaws remaining open for 700 days or longer.
Sonatype suggests that using Software Bills of Materials (SBOM) to track dependencies can help mitigate these risks.
Projects using SBOMs resolved issues 264 days faster than those without, but adoption of these tools is slow.
Only 61,000 of the nearly 7 million open source components released in the last year included SBOMs.