{"id":710,"date":"2024-10-14T10:00:00","date_gmt":"2024-10-14T10:00:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=710"},"modified":"2024-10-14T10:00:00","modified_gmt":"2024-10-14T10:00:00","slug":"malicious-open-source-software-packages-have-exploded-in-2024","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=710","title":{"rendered":"Malicious open-source software packages have exploded in 2024"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

Malware is infiltrating the open-source software development ecosystem at an alarming rate, according to a new report from software supply chain management firm Sonatype. The company has tracked over 500,000 new malicious packages since November 2023 across the popular Java, JavaScript, Python, and .NET packages registries.<\/p>\n

New malicious components account for over 70% of around 700,000 malware packages the company has tracked since 2019 when it first started including this statistic to its annual State of the Software Supply chain report<\/a>.<\/p>\n

This wave of malware adds to the existing challenges that organizations face when it comes to the quality of the open-source components they choose to integrate into their applications. According to Sonatype\u2019s data, on average every enterprise application has at least 180 third-party components, a challenging volume to manage.<\/p>\n

As a result, the company found that over 80% of vulnerable application dependencies remain unpatched for more than a year even though 95% have safer alternatives available. Even when updates are applied, in 3.6% of cases vulnerable dependencies get updated to other insecure versions.<\/p>\n

Take, for example, Log4j. The logging library for Java used in millions of applications had a critical vulnerability dubbed Log4Shell<\/a> in December 2021<\/a>. That flaw and a few others that followed shortly after received widespread publicity, but nearly three years later 13% of log4j downloads from the Maven Central Java repository continue to be for vulnerable versions<\/a>.<\/p>\n

\u201cManaging open-source risks requires optimizing security policies and practices to keep up with the fast-paced evolution of new OSS libraries,\u201d Sonatype wrote in its report. \u201cOrganizations struggle with the impracticality of slowing down DevOps processes for manual vulnerability reviews, leading to frustration among developers.\u201d<\/p>\n

[ Related: \u201cTop 10 open source software security risks \u2014 and how to mitigate them<\/a>.\u201d ]<\/strong><\/p>\n

Malware can lead to supply-chain compromises<\/h2>\n

Like malware targeting desktop computers, malicious components uploaded to open-source package repositories can serve different purposes and not all have the same impact.<\/p>\n

Sonatype catalogs almost half of all malicious components as \u201cpotentially unwanted applications\u201d (PUAs) \u2014 mostly innocent in practice but with functionality not disclosed to the end user. These include protestware<\/a>, in which the component\u2019s creator includes protest messages or actions meant to draw attention to a cause they care about.<\/p>\n

Another 12% are flagged as \u201csecurity holding packages,\u201d meaning that the ecosystem maintainers flagged them as malicious at some point and replaced them with a clean placeholder package to draw attention to those using them.<\/p>\n

The rest have pretty serious consequences that can result in supply-chain compromises<\/a>. Around 14% of packages are distributed through phishing techniques, meaning they use dependency confusion<\/a> to impersonate internal packages used by organizations with the goal of dropping further malware on development systems.<\/p>\n

Around 14% of malicious packages are designed to steal sensitive files and data from machines such as environment variables, authentication tokens, password files, and other information that could help the attackers to compromise more systems later. A subset of 3% of packages also target personally identifiable information (PII) and 3% deploy backdoors and trojans on machines.<\/p>\n

Other types of malicious actions include dropping cryptocurrency mining programs (1.2%), corrupting file systems, or compromising the IDE tools developers use to write code or continuous integration platforms.<\/p>\n

[ Related: \u201c6 most common types of software supply chain attacks explained<\/a>.\u201d ]<\/strong><\/p>\n

Some recent incidents of undesirable packages include a developer uploading around 14,000 fake packages to NPM to benefit from a cryptocurrency scheme that rewarded contributions to open source, attackers using typosquatting to push a Python package with a name very similar to a popular library that deployed the Lumma Windows stealer, and the ZX Utils backdoor<\/a> that\u2019s an example of a years-long infiltration attack into a legitimate project by a rogue developer with the intention to poison the code.<\/p>\n

\u201c\u200b\u200bTraditional malware scanning solutions are unable to detect these novel forms of attack, leading developers and DevOps environments to be uniquely at risk,\u201d the Sonatype researchers wrote. \u201cAs the volume continues to grow so too will the clear and present danger facing organizations.\u201d<\/p>\n

Some vulnerability information is unreliable<\/h2>\n

Sonatype found that every enterprise application gets on average 13 critical or high-severity vulnerabilities every year that are inherited from dependencies. In addition to needing automated tools that can track all direct and transitive dependencies \u2014 dependencies of dependencies \u2014 along with the vulnerabilities discovered in them, the sources of vulnerability information are not equal.<\/p>\n

For example, the National Vulnerability Database (NVD) has a backlog<\/a> of over 17,000 vulnerabilities that haven\u2019t been processed yet. And Sonatype found in practice that over two-thirds of vulnerabilities originally rated with a CVSS severity score under 7 (medium) were corrected to above 7 (high or critical) when reviewed in more detail by a security researcher.<\/p>\n

As a result, depending on the source of vulnerability information they use, companies might miss vulnerabilities entirely or postpone addressing them, thinking they are less critical to deal with than they actually are. And if a vulnerability\u2019s score is changed after an application was assessed, it\u2019s hard to tell how long it will take until it will be scanned again.<\/p>\n

\u201cReducing persistent risk is possible by focusing on tools that help manage dependencies and apply real-time vulnerability detection,\u201d the researchers wrote. \u201cIn fact, we found that projects using a Software Bill of Materials (SBOM) to manage OSS dependencies showed a 264-day reduction in time to fix compared to those that did not.\u201d<\/p>\n

The advance of SBOM<\/a> standards and government regulations that strongly encourage them<\/a>, have pushed an increasing number of open-source developers to adopt them. Unfortunately, the rate of adoption does not keep up with the rate of newly released components. Almost 7 million new open-source components were published in the past 12 months \u2014 of those, only 61,000 had SBOMs.<\/p>\n

A troubling trend is the increasing average time to fix vulnerabilities, regardless of severity. Critical vulnerabilities used to have average fix times between 200 and 250 days, but that now exceeds 500 days in some cases. High-severity vulnerabilities have extended their time to fix from between 150 and 300 days to more than 400; low-severity flaws now have a time to fix of 500 to 700 days, with some stretching to 800.<\/p>\n

\u201cThis sharp increase suggests that publishers are overwhelmed, struggling to keep up with both the volume of security issues and the ongoing demands of innovation and feature development,\u201d the researchers said.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

Malware is infiltrating the open-source software development ecosystem at an alarming rate, according to a new report from software supply chain management firm Sonatype. The company has tracked over 500,000 new malicious packages since November 2023 across the popular Java, JavaScript, Python, and .NET packages registries. New malicious components account for over 70% of around […]<\/p>\n","protected":false},"author":0,"featured_media":711,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-710","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/710"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=710"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/710\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/711"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=710"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=710"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=710"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}