Malicious packages in open-source repositories are surging
The number of malicious packages found in the open-source ecosystem has dramatically grown in the past year, according to a new report from Sonatype.
The cybersecurity firm found that the number of malicious packages intentionally uploaded into open-source repositories has jumped by more than 150% compared to last year. Open-source software, a transparent development process where almost anyone can contribute to the code and components, is the bedrock of the digital age that can be found in most modern digital technologies.
Sonatype, a firm that specializes in the open-source supply chain, looked at more than 7 million open-source projects and found that more than 500,000 contained a malicious package.
Vulnerabilities in open-source packages and the developers who maintain them have become a hot topic following a spree of high-profile bugs and cyberattacks in recent years. Earlier this year, the maintainer of the data-compression tool XZ Utils was the focus of a yearslong campaign by hackers with the aim of inserting a vulnerability that would have been found in Linux servers throughout the world.
Brian Fox, co-founder and chief technology officer at Sonatype, said that attacks like XZ Utils show that malicious hackers “have made the most strides” in open source within the past decade.
