Security News > 2024 > January > Software supply chain attacks are getting easier
The last 12 months have also seen software supply chain attacks shed complexity and boost accessibility.
No longer just the domain of nation-state actors, software supply chain attacks are increasingly being perpetrated by low-skill cybercriminals, evidenced by the use of open source packages to support commodity phishing campaigns that deliver turnkey, automated attacks used to facilitate the theft of victim data.
Secrets related to AWS accounted for around 14% of the total discovered on PyPI. Anticipated surge in software supply chain attacks.
In the wake of high-profile attacks, software producers and end user organizations should expect to see a continued high bar of disclosure requirements as well as more pointed guidance from the federal government, including the use of SBOMs when securing the software supply chain.
"Lacking sufficient visibility, software producers and their customers are failing to spot signs of code tampering and abuse within development pipelines or threats hiding in compiled software artifacts. In 2024, we expect software supply chain attacks to escalate if organizations don't address the threat," added Vuksan.
"Businesses must shift from blind trust of the integrity of software to proven tools and processes that can verify software and ensure it is free of material risks. This includes the ability to scan raw code and compiled binaries in any software they build or buy for behaviors and unexplained changes that may indicate instances of malware and tampering."
News URL
https://www.helpnetsecurity.com/2024/01/24/software-supply-chain-abuse/
Related news
- Supply Chain Attacks Can Exploit Entry Points in Python, npm, and Open-Source Ecosystems (source)
- LottieFiles hit in npm supply chain attack targeting users' crypto (source)
- LottieFiles hacked in supply chain attack to steal users’ crypto (source)
- LottieFiles supply chain attack exposes users to malicious crypto wallet drainer (source)