Cybercriminals are compromising open source software packages to distribute malicious code through the software supply chain. These so-called software supply chain attacks grew 650% this year, according to analysis by security provider Sonatype, which recorded 12,000 incidents in 2021. The finding underscores the need for organisations to handle open source code with care – as the Log4J vulnerability made clear this week.
What are software supply chain attacks?
Open source software packages are typically stored in online repositories. Because some of these packages are used widely in all manner of applications, these repositories represent “a reliable and scalable malware distribution channel,” according to researchers from the University of Bonn, Fraunhofer FKIE, and SAP Labs France.
Software supply chain attacks take three forms, according to Sonatype's 'State of the Software Supply Chain' report. The two most common forms – dependency confusion and typosquatting – rely on the fact that software development tools known as dependency managers will automatically download and implement open source code within applications.
In dependency confusion attacks, attackers will create a compromised version of a package with a later version number, so that it is automatically implemented. This was the most common type of software supply chain attack in 2021. In typosquatting attacks, attackers will create a package whose name has a single character different from a popular package, in the hope that developers will mistype it.
Malicious code injection involves adding new code to an open source software package so anyone who runs it is affected. This attack declined in prevalence this year, according to Sonatype, perhaps as a result of open source repositories tightening their security.
The University of Bonn study found that repositories for Node.js (npm) and Python (PyPi) are the primary targets for supply chain attacks, "supposedly due to the fact that malicious code can be easily triggered during package installation".
The state of security in open source software
Sonatype’s report assessed the number of vulnerabilities across the most common open source packages. It found that the Maven Central repository of Java packages had the highest number of components with vulnerabilities, including more than 350,000 that are deemed 'critical', meaning that they could be easily exploited to gain root-level access. In second place was the nmp repository for Javascript packages, with 250,000 components with critical vulnerabilities.
Package versions with vulnerabilities represent the minority of those housed in the repositories, Sonatype found. Only 4.9% of package versions in Maven Central had critical vulnerabilities, for example. For PyPi, it was just 0.4% of package versions.
Nevertheless, the frequency with which these packages are downloaded means these vulnerabilities could quickly spread far and wide. In 2021, JavaScript developers requested to download 1.5 trillion open source packages, while Python downloads doubled to 127 billion this year.
“This year’s report demonstrates, yet again, how open source is both critical fuel for digital innovation and a ripe target for software supply chain attacks,” said Matt Howard, EVP of Sonatype. “This stark reality highlights both a critical responsibility and opportunity, for engineering leaders to embrace intelligent automation so they can standardise on the best open source suppliers and simultaneously help developers keep third-party libraries fresh and up to date with optimal versions.”
The report from researchers at the University of Bonn et al. noted that many open source projects have introduced two-factor authentication and disabled scripts that automatically install additional packages. These measures need to be replicated across the open source ecosystem, they wrote. "Despite raising general awareness among stakeholders, such countermeasures must be more accessible and, where possible, enforced by default in order to prevent open source software supply chain attacks.”
The debate over the security of open source software was reopened this month after a critical vulnerability was discovered in Log4J, an open source logging tool for Java applications. Log4J, which is maintained by unpaid volunteers, is used in a huge number of applications, often without the knowledge of the organisations that have implemented them, meaning it could take months to find and patch all instances, experts told Tech Monitor.