A new report from Sonatype has revealed that supply chain attacks on open-source public repositories have increased up to 650% year-over-year. This may correspond to the increasing demand for open-source projects which grew by 73% this year.
What has happened?
According to a report, there were 216 supply chain attacks spotted between February 2015 and June 2019. The figure rose to 929 between July 2019 to May 2020. However, over the past year, this number surged to a whopping 12,000.
The security firm has mentioned that the significant increase in supply-chain attacks has been mainly caused by the exploitation of flaws in popular open-source ecosystems.
The top downloaded open-source projects are Python (PyPI), Java (Maven Central), DotNet (nuget), and JavaScript (npmjs). Developers are anticipated to download around 2.2 trillion open-source packages from open-source projects.
Sonatype reported that the top four open-source ecosystems contain a total of 37,451,682 various versions of components, which is a 20% increase compared to last year.
Around 29% of the most popular projects were found to have at least one known security vulnerability. Whereas, only 6.5% of the less popular project had at least one security vulnerabilities.
Recent supply-chain security trends
Several reports have recently highlighted the risks of supply chain attacks related to open-source software.
A report indicated that there has been a 430% year-on-year increase in software supply chain attacks targeting open-source components in the last year.
Moreover, security firm Veracode highlighted the growing danger of open-source software, stating that most software developers fail to update third-party libraries used in their codebase, exposing them to huge risks.
Security tips
Organizations should sanitize their open-source software dependencies to protect their supply chains. Moreover, it is always advisable to strictly monitor the open-source projects used in the production environment for any anomalies.