View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
December 22, 2021

Supply chain attacks on open source software grew 650% in 2021

Attacks targeting open source code libraries used by thousands of developers have increased exponentially since last year.

By Afiq Fitri

Cybercriminals are compromising open source software packages to distribute malicious code through the software supply chain. These so-called software supply chain attacks grew 650% this year, according to analysis by security provider Sonatype, which recorded 12,000 incidents in 2021. The finding underscores the need for organisations to handle open source code with care – as the Log4J vulnerability made clear this week.

What are software supply chain attacks?

Open source software packages are typically stored in online repositories. Because some of these packages are used widely in all manner of applications, these repositories represent “a reliable and scalable malware distribution channel,” according to researchers from the University of Bonn, Fraunhofer FKIE, and SAP Labs France

Software supply chain attacks take three forms, according to Sonatype's 'State of the Software Supply Chain' report. The two most common forms – dependency confusion and typosquatting – rely on the fact that software development tools known as dependency managers will automatically download and implement open source code within applications.

In dependency confusion attacks, attackers will create a compromised version of a package with a later version number, so that it is automatically implemented. This was the most common type of software supply chain attack in 2021. In typosquatting attacks, attackers will create a package whose name has a single character different from a popular package, in the hope that developers will mistype it.

Malicious code injection involves adding new code to an open source software package so anyone who runs it is affected. This attack declined in prevalence this year, according to Sonatype, perhaps as a result of open source repositories tightening their security.

The University of Bonn study found that repositories for Node.js (npm) and Python (PyPi) are the primary targets for supply chain attacks, "supposedly due to the fact that malicious code can be easily triggered during package installation".

Content from our partners
Unlocking growth through hybrid cloud: 5 key takeaways
How businesses can safeguard themselves on the cyber frontline
How hackers’ tactics are evolving in an increasingly complex landscape

The state of security in open source software

Sonatype’s report assessed the number of vulnerabilities across the most common open source packages. It found that the Maven Central repository of Java packages had the highest number of components with vulnerabilities, including more than 350,000 that are deemed 'critical', meaning that they could be easily exploited to gain root-level access. In second place was the nmp repository for Javascript packages, with 250,000 components with critical vulnerabilities.

Package versions with vulnerabilities represent the minority of those housed in the repositories, Sonatype found. Only 4.9% of package versions in Maven Central had critical vulnerabilities, for example. For PyPi, it was just 0.4% of package versions.

Nevertheless, the frequency with which these packages are downloaded means these vulnerabilities could quickly spread far and wide. In 2021, JavaScript developers requested to download 1.5 trillion open source packages, while Python downloads doubled to 127 billion this year.

 “This year’s report demonstrates, yet again, how open source is both critical fuel for digital innovation and a ripe target for software supply chain attacks,” said Matt Howard, EVP of Sonatype. “This stark reality highlights both a critical responsibility and opportunity, for engineering leaders to embrace intelligent automation so they can standardise on the best open source suppliers and simultaneously help developers keep third-party libraries fresh and up to date with optimal versions.”

The report from researchers at the University of Bonn et al. noted that many open source projects have introduced two-factor authentication and disabled scripts that automatically install additional packages. These measures need to be replicated across the open source ecosystem, they wrote. "Despite raising general awareness among stakeholders, such countermeasures must be more accessible and, where possible, enforced by default in order to prevent open source software supply chain attacks.” 

The debate over the security of open source software was reopened this month after a critical vulnerability was discovered in Log4J, an open source logging tool for Java applications. Log4J, which is maintained by unpaid volunteers, is used in a huge number of applications, often without the knowledge of the organisations that have implemented them, meaning it could take months to find and patch all instances, experts told Tech Monitor.

Topics in this article :
Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.