Security News > 2020 > August > Surge in cyber attacks targeting open source software projects

There has been a massive 430% surge in next generation cyber attacks aimed at actively infiltrating open source software supply chains, Sonatype has found.

The difference between "Next generation" and "Legacy" software supply chain attacks is simple but important: next generation attacks like ​Octopus Scanner​ and ​electron-native-notify​ are strategic and involve bad actors intentionally targeting and surreptitiously compromising "Upstream" open source projects so they can subsequently exploit vulnerabilities when they inevitably flow "Downstream" into the wild.

"Following the notorious Equifax breach of 2017, enterprises significantly ramped investments to prevent similar attacks on open source software supply chains," said Wayne Jackson, CEO at Sonatype.

"Our research shows that commercial engineering teams are getting faster in their ability to respond to new zero day vulnerabilities. Therefore, it should come as no surprise that next generation supply chain attacks have increased 430% as adversaries are shifting their activities 'upstream' where they can infect a single open source component that has the potential to be distributed 'downstream" where it can be strategically and covertly exploited.

51% of organizations​ took more than a week to remediate the open source vulnerabilities.

News URL

http://feedproxy.google.com/~r/HelpNetSecurity/~3/LUXWjkpq94o/