Sonatype Finds 700% Average Increase in Open Source Supply Chain Attacks


New Data Underscores Critical Need for Early Defense Against Malicious Code

September 20, 2022 -- Fulton, Md. -- Sonatype, the pioneer of software supply chain management, has found a massive year-over-year increase in cyberattacks aimed at open source project ecosystems. According to early data from Sonatype's 8th annual State of the Software Supply Chain Report, which will be released in full this October, Sonatype has recorded an average 700% jump in repository attacks over the last three years.

To capitalize on weaknesses in upstream open source ecosystems, cybercriminals continue to target organizations through open source repositories. They contribute malware-infected software components that are distributed downstream and ingested by applications that businesses and consumers rely on. As of this publication date, Sonatype’s industry-leading repository Firewall has identified more than 55,000 newly published packages as malicious in open source repositories over the past year, and nearly 95,000 over the past three years. Firewall is part of the Sonatype Nexus platform, the world’s most complete software supply chain management solution. DevSecOps teams worldwide rely on the Nexus platform to automate policy enforcement, without slowing innovation.

Sonatype’s repository Firewall is the only solution that combines next-generation behavioral analysis and automated policy enforcement to continuously detect and block malicious packages, in addition to potentially vulnerable components. Using artificial intelligence, Firewall evaluates every newly-released open source software componentan average of over 600,000 newly-released components per monthand determines if it is a potential threat. Those that are “known bad” (such as a critically malicious typosquat) are automatically blocked from download. Components identified as “potential threats” are quarantined until they are then manually confirmed or cleared of vulnerabilities by Sonatype’s security research team. Code identified as safe is cleared for use.

“Almost every modern business relies on open source. Clearly, the use of open source repositories as an entry point for malicious attacks shows no signs of slowing down–making the early detection of both known and unknown security vulnerabilities more important than ever,” said Brian Fox, co-founder and CTO of Sonatype. “Stopping malicious components before they come in the door is a fundamental element of risk prevention and should be a part of every conversation around protecting software supply chains.”

The scale of open source malware attacks is so great that it’d be humanly impossible to detect and prevent every single attack in real time. And even if a malicious component isn’t used in the final product, it doesn't matter–allowing it to be downloaded on the developer’s machine is already too late. Firewall’s proprietary malicious component detection and blocking prevents dangerous components from ever entering into a software’s development life cycle, protecting developers from using harmful components and organizations from the ever-increasing cost of a cybersecurity breach.

“The volume, frequency, severity, and sophistication of malicious cyberattacks continue to increase. Organizations can’t–and shouldn’t–avoid the use of open source just to protect themselves,” Fox added. “But they can use preventative tools–such as the Sonatype Firewall–to keep developers on track and software supply chains secure.”

Sonatype is the software supply chain management company. We empower developers and security professionals with intelligent tools to innovate more securely at scale. Our platform addresses every element of an organization’s entire software development life cycle, including third-party open source code, first-party source code and containerized code. Sonatype identifies critical security vulnerabilities and code quality issues and reports results directly to developers when they can most effectively fix them. This helps organizations develop consistently high-quality, secure software which fully meets their business needs and those of their end-customers and partners. More than 2,000 organizations, including 70% of the Fortune 100, and 15 million software developers already rely on our tools and guidance to help them deliver and maintain exceptional and secure software.