A recent report from Sonatype reveals that a rising number of malicious packages are inundating the open-source repositories.
The cybersecurity company discovered a more than 150% increase in the number of malicious packages deliberately uploaded to open-source repositories compared to last year. Open-source software, characterized by its transparent development process that allows nearly anyone to contribute code and components. Which serves as the foundation for most modern digital technologies in today’s digital age.
Sonatype, a company specializing in open-source supply chains, examined over 7 million open-source projects and discovered that more than 500,000 of them included a malicious package.
In recent years, vulnerabilities in open-source packages and their developers have gained significant attention due to a series of high-profile bugs and cyberattacks. Earlier this year, hackers targeted the maintainer of the data-compression tool XZ Utils in an extended campaign. Which aimed at introducing a vulnerability that would potentially affect Linux servers globally.
Brian Fox, co-founder and chief technology officer at Sonatype, said that attacks like XZ Utils show that malicious hackers “have made the most strides” in open source within the past decade.
Fox said the “real issue is the publishers and consumers” of open-source software.
The report emphasized that developers and publishers have prioritized rapidly releasing features and publishing new versions, often at the expense of security.
“We could see a lot of projects have really improved their ability to release faster,” Fox said. “That’s not surprising; that is the state of modern software development. The disappointing part is while they’re releasing faster, on average, it’s taking longer to fix the vulnerabilities in their dependencies.”
However, even when a fix is available, it takes longer to implement patches or mitigation measures. Sonatype discovered that certain major bugs, such as Log4Shell, continue to be downloaded years after their initial discovery. The researchers found that 13% of Log4J downloads included vulnerable versions.
The report noted that previously, addressing critical vulnerabilities took approximately 200 to 250 days. However, it now can take as long as 500 days before a new release is available.
The duration needed to address medium- and low-severity bugs has risen considerably, with some cases extending beyond 500 days—and at times even surpassing 800 days—before being resolved. According to the report, fewer than five years ago these durations seldom went beyond 400 days.
The report indicates that the extended time period demonstrates how the software supply chain is hitting “critical points, where publisher resources are unable to keep up with the growing number of vulnerabilities.”
Sonatype highlighted that the open-source ecosystems associated with each programming language can introduce distinct challenges when bolstering defenses. For example; over recent years, the widely-used package manager for Node.js in the JavaScript runtime environment has experienced a significant rise in spam and cryptocurrency-themed malicious packages.
