As commercial and enterprise software developers become more disciplined about keeping their open source software components updated to reduce the risk of software supply chain attacks, the bad guys are getting craftier: Researchers warn that they're over-running open source projects to turn them into malware distribution channels.
It used to be that attackers simply preyed on existing vulnerabilities within well-used open source components, with the understanding they could victimize the many organizations relying on outdated dependencies. Attackers are now more frequently getting proactive by infiltrating open source projects to seed them with compromised components that they can pounce on once they're downloaded and used by unsuspecting organizations.
According to the latest "2020 State of the Software Supply Chain" report just released by Sonatype, these so-called "next-generation" supply chain attacks are surging markedly, up 430% in the past year.
"Adversaries are shifting their activities 'upstream,' where they can infect a single open source component that has the potential to be distributed 'downstream,' where it can be strategically and covertly exploited," explains Wayne Jackson, CEO of Sonatype.
As the report explains, attackers are leveraging the very nature of open source software development against itself with these next-gen supply chain attacks. Open source projects rely on contributions from volunteers, and these projects themselves frequently incorporate hundreds or even thousands of dependencies from other projects. The ethos of open source projects is one that relies on shared trust, all of "which creates a fertile environment whereby bad actors can prey upon good people with surprising ease," the report explains.
In fact, the attackers are now starting to seek out ways to scale u ..
Support the originator by clicking the read the rest link below.
