Security News > 2021 > September > Here's a fix for open source supply chain attacks
TechRepublic contributing writer Jack Wallen is correct that "Open source software has proved itself, time and time and time again, that it is business-grade for a very long time." Sonatype is also correct that supply chain attacks against popular open source software repositories jumped 650% over the last year.
Open source keeps growing in popularity, to the tune of 2.2 trillion open source packages pulled from repositories like npmjs and Maven in 2021, according to Sonatype's study.
As the report continues, the old way of exploiting vulnerabilities in open source projects would be to look for publicly accessible, unpatched security holes in open source code.
Hackers "Are taking the initiative and injecting new vulnerabilities into open source projects that feed the global supply chain, and then exploiting those vulnerabilities."
Often, they're getting that open source delivered to them as managed services, which strips away hardware and software friction, allowing developers to move at maximum speed with a minimum of constraint.
It's still early, but hopefully this widespread adoption of open source software to deliver higher-order cloud services will, in turn, lead to widespread contributions to the open source projects upon which these services depend.
News URL
Related news
- New Hugging Face Vulnerability Exposes AI Models to Supply Chain Attacks (source)
- Chinese State Hackers Target Tibetans with Supply Chain, Watering Hole Attacks (source)
- Hackers Hijack GitHub Accounts in Supply Chain Attack Affecting Top-gg and Others (source)
- XZ Utils Supply Chain Attack: A Threat Actor Spent Two Years to Implement a Linux Backdoor (source)
- New open-source project takeover attacks spotted, stymied (source)
- Protobom: Open-source software supply chain tool (source)