The report found that attacks that leverage malicious open-source modules have continued to multiply in the commercial sector. Enterprise has seen an exponential increase in supply chain attacks since 2020 and a slower but still steady rise in 2022.
One particular favorite for hackers is the popular open-source repository Node Package Manager. Some 7,000 malicious package uploads to npm were detected from January to October, a nearly 100-fold increase over the 75 malicious packages discovered in 2020 and a 40% increase in malicious packages found in 2021.
The Python Package Index, known as PyPi, was also found to be being flooded with tainted open-source modules designed to mine cryptocurrency and plant malware, among other things. The attacks were consistent with what researchers observed in 2021 when attackers commonly used dependency confusion and typosquatting techniques.
High-profile organizations, including Samsung Electronics Co. Ltd. and Toyota Motor Co., were embarrassed by secrets exposed through open-source repositories maintained internally or by third-party contractors.
The report notes that the attacks have increased the focus on software supply chain security. Following the issuance of the Biden Administration’s May 2021 Executive Order on Improving the Nation’s Cybersecurity, the past year has seen new federal guidance for tightening supply chain security.
Included in various executive orders and initiatives has been a practice guide for software suppliers to the federal government issued by the Enduring Security Framework Software Supply Chain Working Panel. Also issued in September was a memorandum from the Office of Management and Budget that requires software firms to attest to the security of software and services they license to Executive Branch agencies.
Looking forward, the report finds that software publishers with federal contracts will need to clear higher bars for software security to meet the new guidelines. The higher bars include having to attest to the security of their code and, in some cases, produce software bills of materials that provide a roadmap for tracking down supply chain threats.
“Given that the threat of supply chain attacks goes beyond publishers that sell to the federal government, all organizations that develop software will need to take similar steps to keep ahead of these threats,” the report’s authors concluded.