Cybersecurity

Malicious packages in open-source repositories are surging

The open-source ecosystem is being overrun by malicious packages, a new report from Sonatype finds.

October 10, 2024

A laptop user typing at their keyboard. (Getty Images)

The number of malicious packages found in the open-source ecosystem has dramatically grown in the past year, according to a new report from Sonatype.

The cybersecurity firm found that the number of malicious packages intentionally uploaded into open-source repositories has jumped by more than 150% compared to last year. Open-source software, a transparent development process where almost anyone can contribute to the code and components, is the bedrock of the digital age that can be found in most modern digital technologies.

Sonatype, a firm that specializes in the open-source supply chain, looked at more than 7 million open-source projects and found that more than 500,000 contained a malicious package.

Vulnerabilities in open-source packages and the developers who maintain them have become a hot topic following a spree of high-profile bugs and cyberattacks in recent years. Earlier this year, the maintainer of the data-compression tool XZ Utils was the focus of a yearslong campaign by hackers with the aim of inserting a vulnerability that would have been found in Linux servers throughout the world.

Brian Fox, co-founder and chief technology officer at Sonatype, said that attacks like XZ Utils show that malicious hackers “have made the most strides” in open source within the past decade.

Fox said the “real issue is the publishers and consumers” of open-source software.

Data from the report highlighted that developers and publishers have focused on quickly releasing features and publishing new versions such that security was tossed aside.

“We could see a lot of projects have really improved their ability to release faster,” Fox said. “That’s not surprising; that is the state of modern software development. The disappointing part is while they’re releasing faster, on average, it’s taking longer to fix the vulnerabilities in their dependencies.”

But even when there is a fix, it is also taking longer to patch or mitigate, and Sonatype found that some major bugs like Log4Shell are still being downloaded years after discovery. The researchers found that 13% of Log4J downloads included vulnerable versions.

Critical vulnerabilities used to take somewhere between 200 to 250 days to fix, but now can take up to 500 days before a new release, the report noted.

Medium- and low-severity bugs saw an even more dramatic increase in mitigation time, taking more than 500 and in some cases 800 days or more before a patch was issued. The report shows that less than five years ago those numbers rarely exceeded 400.

The report notes that the increase in time is showing that the software supply chain is reaching “critical points where publisher resources cannot keep pace with the rising volume of vulnerabilities.”

The melody of open-source ecosystems for each programming language can also create unique challenges to increase defenses, Sonatype reported. For instance, the popular package manager for the JavaScript runtime environment Node.js saw a dramatic increase in spam and cryptocurrency-based malicious packages within the past few years.