Skip Navigation

Open Source Malware and
Vulnerabilities Resources

Learn about the danger of open source malware and software vulnerabilities.

The difference between vulnerabilities and open source malware

Vulnerability vs. Malware

  • Vulnerable Open Source Component

    is a legitimate open source component where a good action inadvertently introduced risk

  • Open Source Malware

    Is a malicious component that a bad actor has created for the purpose of introducing risk via the dev / build toolchain.

Influential cyber incidents, open source
malware, and vulnerabilities

JULY 2024
MAR 2024
DEC 2023
AUG 2023
DEC 2022
DEC 2021
APR 2021
DEC 2020
MAY 2020

CrowdStrike

This incident, while not a vulnerability nor malware, underscored how routine software updates can escalate into widespread digital crises.

XZ

This vulnerability in the XZ and liblzma compression utilities facilitated a supply chain attack that enabled the infiltration of malware into Linux distribution.

Struts2

This vulnerability in Apache Struts2 makes it possible to enable unauthorized remote code execution through manipulated file uploads.

HTTP/2 Rapid Reset

A vulnerability in the HTTP/2 protocol that allowed attackers to launch distributed denial of service (DDoS) attacks, disrupting web services globally.

PyTorch

Attackers compromised a nightly build of the popular machine learning library PyTorch by inserting a malicious dependency.

Log4Shell

A critical vulnerability in the widely used Log4j logging library, leading to severe security risks across millions of devices and applications worldwide.

Codecov

Attackers gained access to Codecov’s Bash Uploader script, compromising customer environments, tokens, and secrets for an extended period before detection.

SolarWinds

Attackers inserted malicious code into SolarWinds’ Orion software, impacting thousands of organizations, government agencies, and large corporations.

Octopus Scanner

A malware strain that specifically targeted open source software on GitHub, infecting build processes and spreading through software supply chains.

Sonatype Repository Firewall prevented a $5.5 million malware threat for a Fortune 200 financial institution

Sonatype Repository Firewall quickly detected over 75 malware attacks that had bypassed a major financial institution’s custom systems

Sonatype Repository Firewall prevented more than 2.8 million malicious downloads

Intercept open source malware

Sonatype Repository Firewall prevented a $5.5 million open source malware threat for a Fortune 200 financial institution

Sonatype Repository Firewall quickly detected over 75 malware attacks that had bypassed a major financial institution’s custom systems

Sonatype Repository Firewall prevented more than 2.8 million malicious open source malware downloads

The average application contains
23 known open source vulnerabilities.

Interested in understanding if your applications are at risk?