The insatiable global demand for open source code packages has led to a triple-digit year-on-year surge in upstream software supply chain attacks, according to Sonatype.
The supply chain management specialist compiled its 2021 State of the Software Supply Chain report from publicly available and proprietary data.
It claimed that global developers would borrow over 2.2 trillion open-source packages or components from third-party ecosystems to accelerate time-to-market. This includes Java downloaded from the Maven Central Repository, Python packages downloaded from PyPi, JavaScript from npmjs and .NET NuGet packages.
These shared code packages often contain publicly disclosed vulnerabilities that threat actors can exploit. However, increasingly cyber-criminals are getting more proactive, Sonatype warned.
“Next-generation software supply chain attacks are far more sinister, because bad actors are no longer waiting for public vulnerability disclosures to pursue an exploit. Instead, they are taking the initiative and injecting new vulnerabilities into open source projects that feed the global supply chain, and then exploiting those vulnerabilities before they are discovered,” the report noted.
“By shifting their attacks ‘upstream,’ bad actors can gain leverage and the crucial benefit of time that that enables malware to propagate throughout the supply chain, enabling far more scalable attacks on ‘downstream’ users.”
Such attacks have increased by a staggering 650% year-on-year, versus a figure of 430% last year, Sonatype said.
There were 216 such attacks detected over four years between February 2015 and June 2019. However, this figure rose to 929 during just a year (July 2019–May 2020). That number surged to a staggering 12,000 over the past year.
“We now know that popular projects contain disproportionately more vulnerabilities,” argued Sonatype EVP, Matt Howard.
“This stark reality highlights both a critical responsibility, and opportunity, for engineering leaders to embrace intelligent automation so they can standardize on the best open source suppliers and simultaneously help developers keep third-party libraries fresh and up-to-date with optimal versions.”
Major cyber-threat campaigns, including the attacks on SolarWinds and Codecov, highlight the potentially severe repercussions of code supply-chain compromises.