You’ve got millions of open-source software components to choose from... and so do cybercriminals

2021-02-17 20:00

Perhaps the most troubling aspect of this tale is that this was the seventh such malicious package found on npm within a month, a stark illustration of the effort that cybercriminals are making to insert themselves into the open source software supply chain.

According to Weeks, anywhere from 10 per cent to 40 percent of open source software components developers are downloading have known vulnerabilities.

It's clear that cyber-criminals have read and fully digested the DevOps and open source playbooks to conduct these next-generation software supply chain attacks aimed at open source software project code.

Many of the factors that make open software components the default for enterprise software developers are also factors that bad actors can leverage.

According to Sonatype's 2020 State of the Software Supply Chain Report projections, developers requested over 1.5 trillion open source software components and containers in 2020.

For enterprises, the first step in securely using open source is to simply be clear what open source packages their developers are using, says Weeks.

News URL

https://go.theregister.com/feed/www.theregister.com/2021/02/17/who_is_running_your_project/

#cybercriminal #opensource