In 2020, developers around the world requested more than 1.5 trillion open source software components and containers for one reason: it accelerates the pace of innovation. But, in the recent State of the Software Supply Chain report, we saw the number of next generation cyber attacks aimed at actively infiltrating open source increase by 430%. In just the past two months - we’ve caught 10 more malicious attacks. The attacks are a uniquely efficient way for adversaries to gain leverage and scale by exploiting software supply chains.
Simply stated, members of the world’s open source community are facing a novel and rapidly expanding threat that has nothing to do with passive adversaries exploiting known vulnerabilities in the wild — and everything to do with aggressive attackers implanting malware directly into open source projects.
This new form of attack on our software supply chains, where OSS project credentials are compromised and malicious code is intentionally injected into open source libraries, allows hackers to poison the well. The vulnerable code is then downloaded repeatedly by millions of software developers who unwittingly pollute their applications to the direct benefit of bad actors.
When malicious code is deliberately and secretly injected upstream into open source projects, it is highly likely that no one knows the malware is there, except for the person that planted it. This approach allows adversaries to surreptitiously set traps upstream, and then carry out attacks downstream once the vulnerable code has moved through the supply chain and into the wild.
Simultaneously, we are observing a shift in the intended target of these new attacks. Increasingly developers and development systems, with their unprecedented access and influence over distributed code is the focus. Traditional App Sec approaches tend to focus on the output of development, ensuring that it’s safe for their users, and this leaves a large gap that is being exploited.
Security and development teams need to understand the changing landscape and help put developer-first security tools in the hands of developers everywhere.
