Supply chain attacks on open source repositories are reaching new highs

An abstract image of padlocks overlaying a digital background.
(Image credit: Shutterstock)

There has been a whopping 650% year over year increase in supply chain attacks aimed at upstream open source public repositories, according to a new report.

Interestingly, despite the risk, cybersecurity company Sonatype’s seventh annual State of the Software Supply Chain Report notes a strong growth in the supply and demand of open source software.

“This year’s State of the Software Supply Chain report demonstrates, yet again, how open source is both critical fuel for digital innovation and a ripe target for software supply chain attacks,” said Matt Howard, EVP of Sonatype.

TechRadar needs yo...

We're looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won't take more than 60 seconds of your time, and we'd hugely appreciate if you'd share your experiences with us.

>> Click here to start the survey in a new window <<

This year’s report analyzed operational supply, demand and security trends associated with four popular open source projects serving popular programming language ecosystems, namely Java (Maven Central), JavaScript (npmjs), Python (PyPI), and .Net (nuget).  

The report notes that demand for open source software increased by 73% in 2021, with developers expected to download more than 2.2 trillion open source packages from the top four ecosystems.

Sonatype analysis revealed that the top four open source ecosystems now contain a total of 37,451,682 different versions of components, which represents an increase of 20% as compared to last year.

However, the security company also points out the startling increase in attacks “aimed at exploiting weaknesses in upstream open source ecosystems.”

A breakdown of the threats revealed that popular projects were more vulnerable, with 29% of them containing at least one known security vulnerability. 

The figure drops down to 6.5% when it comes to finding vulnerabilities in less popular project versions. Sonatype takes this as a sign of security researchers (blackhat and whitehat) concentrating their efforts on the most used projects.

Sonatype’s research isn’t the first to highlight the pressing need to secure the open source software supply chain. Veracode reached a similar conclusion earlier this year, based on an analysis of 13 million scans of more than 86,000 repositories, with a total of over 301,000 unique open source libraries.

Last year Linux Foundation rolled in Microsoft, GitHub, Google, IBM, Red Hat and JPMorgan, and others to create the Open Source Security Foundation (OpenSSF) with the aim of improving open source security. Earlier this year, the group announced the Scorecard project, to help sanitize the open source software supply chain.

Mayank Sharma

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’s TechRadar Pro’s expert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.