Open source repositories are increasingly becoming targets for criminals. In the last year alone, Sona type identified over 55,000 infected packages.
Attacks from software supply chains have increased significantly in recent years: This is shown by the results of the “State of the Software Supply Chain Report” published by the security software provider Sonatype. Accordingly, attacks on upstream repositories of open source projects have increased by 700 percent in the past three years.
Attackers are increasingly exploiting vulnerabilities upstream in open source ecosystems to inject malware into corporate projects downstream. According to Sonatype, the vendor’s firewall, which is dedicated to open source supply chains, identified more than 55,000 newly released packages as malicious in the last year. For classification: According to the manufacturer, the firewall uses AI to check around 600,000 package releases per month.
Sonatype plans to publish the final report in October, according to the provider’s press release. Attacks on open source components have repeatedly made headlines in recent years, most recently with Log4Shell. The problem also lies in the fact that projects often use a large number of ready-made software packages and it is therefore difficult to keep track of the packages used. Software bills of materials are intended to remedy this – including free open source tools.