Next-gen software supply chain attacks up 650% in 2021

Let the OSS Enterprise newsletter guide your open source journey! Sign up here.

“Next-generation” software supply chain attacks have increased by 650% in the past year as bad actors proactively move upstream to wreak havoc by infiltrating open source software.

That’s according to Sonatype, a software composition analysis (SCA) platform that companies use to analyze their public and private codebases and evaluate them for security and compliance shortfalls.

Over the past year, Sonatype studied data from 100,000 production applications and 4 million component migrations made by software developers, alongside “operational supply, demand, and security” trends related to the Java, JavaScript, Python, and .Net ecosystems. This culminated in the firm’s seventh annual “State of the Software Supply Chain” report, which unearthed a range of findings.

The report revealed that open source “supply” has increased by 20%, with the top four open source ecosystems now containing nearly 37.5 million “different versions of components.” Demand, meanwhile, grew by 73%, with developers downloading more than 2.2 trillion open source packages in 2o21.

Sonatype’s latest report also found that security vulnerabilities are “most pervasive” in the more popular projects. These include the top 10% of projects across the four open source ecosystems (Java, JavaScript, Python, and .NET), 29% of which contained at least one known security vulnerability. Of the remaining 90% “least popular” projects, only 6.5% contained at least one known vulnerability.

While it could be tempting to conclude that the most widely used open source projects are inherently less secure, security researchers are primarily focused on the most widely distributed software. White-hat security researchers obviously want to find the bugs and glitches that impact the most companies, whether to claim a financial reward or for purely altruistic reasons. And malicious hackers are also more likely to exploit the same “popular” codebases to maximize damage through the software supply chain.

“We now know that popular projects contain disproportionately more vulnerabilities,” Sonatype EVP Matt Howard said in a press release. “This stark reality highlights both a critical responsibility and opportunity for engineering leaders to embrace intelligent automation so they can standardize on the best open source suppliers and simultaneously help developers keep third-party libraries fresh and up to date with optimal versions.”

But arguably the most interesting findings related to the evolving nature of software supply chain attacks — Sonatype’s report noted that bad actors “can gain leverage and the crucial benefit of time” by adopting any technique that goes further upstream toward the origins of the open source code. These “next-generation” attacks are more scalable, offering greater opportunities to distribute malware throughout the software supply chain to inflict maximum damage.

Upstream

It’s no secret that open source codebases contain myriad vulnerabilities, but as enterprise developers have come to realize the significant security benefits to keeping their software up to date with the latest components, attackers can no longer rely on “known” vulnerabilities like they used to. Instead, they are increasingly having to create the vulnerabilities by pushing bad code upstream into the open source libraries, thus propagating the broader software supply chain.

“Over the years, we’ve witnessed a variety of different attacks aimed at ‘upstream’ open source repositories — things like malicious code injection and typosquatting,” Howard told VentureBeat. “This year, however, we observed a novel and popular attack vector called ‘dependency confusion,’ which primarily accounted for the massive YoY increase.”

Indeed, the most common attack Sonatype identified in the past year was dependency confusion, a technique that involves tricking software installer scripts into pulling a malicious package from a public repository.

“This attack method involves figuring out the names of internal packages for a particular company’s application and then publishing a package with the same name but a higher semantic version of a package already in use,” Howard explained. “When automated software development tools update their dependencies, they often look to external sources as well as internal sources, which leads to automatic downloads of malicious packages.”

By way of example, back in February a white-hat security researcher leveraged dependency confusion to breach dozens of big companies, including Microsoft, Apple, PayPal, and Uber. A week later, Sonatype identified hundreds of malicious copycat packages.

Sonatype identified typosquatting as the second most common attack, a method that involves tricking developers into downloading malicious packages by mimicking the name of a legitimate package on a public registry. In third place was malicious source code injections, which — as its name suggests — involves inserting bad code into open source projects.

Between February 2015 and June 2019, Sonatype reported there were 216 upstream software supply chain attacks, a figure that rose to 929 from July 2019 to May 2020 before rising 650% in the past year to around 7,000. Sonatype concluded that if the past year is any indication, “… we expect that attackers will continue to target upstream software supply chain assets as a preferred path to exploiting downstream victims at scale.”

The full “State of the Software Supply Chain” report is available to download now.