The growth of open source malware has continued apace in 2024, according to new research, with cyber criminals taking advantage of the proliferation of open source software.
A report from software supply chain management firm Sonatype found there was a 156% increase in malicious packages identified on open source repositories over the past year.
Sonatype has identified 778,529 malicious open source packages since it began tracking them in 2019, which it noted was an increase of 70,000 since its annual report was published in October.
Open source malware are malicious packages that disguise themselves as legitimate open source software (OSS) to infiltrate software supply chains.
The three distinct characteristics of open source malware listed in the report were their intentional insertion into open source repositories for malicious purposes, their specific targeting of developers, and ability to evade conventional detection methods.
Sonatype said this approach is able to circumvent traditional security measures and poses a unique threat to enterprises.
“This unique distribution method — compromised open source repositories — exploits gaps in dependency management tooling and development build pipelines, bypassing conventional security mechanisms in order to attack software developers directly,” the report warned.
Npm accounts for over 98% of malicious open source packages
Sonatype noted that software repositories like npm and PyPI process trillions of open source package requests each year, featuring a publishing model that is designed to ensure speed of delivery with the aim of helping foster agile development and innovation.
The unintended consequence of this model is that it makes it far easier for hackers to smuggle their malicious packages onto the platforms unnoticed.
For example, the report noted that npm, the world’s largest JavaScript package registry, was disproportionately impacted by the plague of malicious packages.
Overall, npm accounted for 98.5% of the malicious packages identified by Sonatype over the course of 2024; whereas PyPI, the official package repository for Python, represented just 1% of open source malware Sonatype detected.
RELATED WHITEPAPER
In total, Sonatype found over 540,000 malicious components hosted on npm, dwarfing the roughly 5,000 malicious assets identified on PyPI.
Sonatype said the ease of publishing on npm, which allows devs to publish packages with minimal verification, means they can “upload malicious components quickly and at scale”.
The report added that npm has been a victim of surges of spam packages in recent years.
A significant proportion of this spam looks to simply monetize a high volume of downloads using protocols like Tea.xyz, whereas others are seeking to embed malware into projects for more nefarious purposes.
Finally, the sheer scale of demand on the npm platform, which will have received an expected 4.5 trillion requests in 2024 – up 70% compared to 2023 – makes it an ideal target for threat actors looking to maximize their impact.
Speaking to ITPro, Steve Sandford, partner and head of digital forensics & incident response at CyXcel, outlined why npm is drawing the attention of cyber criminals over other popular open source repositories, and what businesses should be doing to mitigate the threat.
“The rise of open source malware is a growing concern as open source software becomes more integral to enterprise IT. NPM is a popular target due to its dominance and high download volume, with minimal verification processes allowing malicious actors to introduce compromised packages easily,” he explained.
“In contrast, PyPI has a smaller user base. As technology evolves and uses increase, the threat of malware will likely grow. To mitigate these threats, enterprises should implement automated scanning tools, maintain an updated inventory of open source components, ensure regular updates and patching, conduct security assessments, train employees, and develop an incident response plan.”
Over 15 billion unvetted shadow downloads in 2024
But the report added that it discovered a large number of malicious packages that were bypassing repository managers altogether, and were being directly downloaded onto dev machines or shared build infrastructures.
Referred to as shadow downloads, Sonatype defines this trend as open source components taken from a public repository but bypassing the artifact repository manager.
“This practice introduces unvetted and unobservable dependencies into projects, bypassing established governance, review, and security processes," Sonatype explained
“While precise numbers vary by organization, recent insights indicate a surprising percentage in production environments originated from shadow downloads, escaping security review entirely.”
Sonatype warned that shadow downloads, which saw a 15.6 billion increase in downloads between December 2023 and November 2024, undermine software supply chain vulnerabilities in several ways.
Firstly the lack of visibility of shadow downloads means they often go unnoticed, making it far more difficult to manage updates.
Secondly, they expose systems to unvetted components, increasing the likelihood of introducing malicious packages, such as those associated with dependency confusion or typosquatting, Sonatype added.
Finally, bypassing repository managers means organizations no longer have the ability to enforce policies, such as release integrity checks or vulnerability scans, on the components.
-
What is polymorphic malware?Explainer Polymorphic malware constantly changes its code to avoid detection, making it a top cybersecurity threat that demands advanced, behavior-based defenses
-
Outgoing Kaseya CEO teases "this is just the beginning" for the companyOpinion We spoke to Fred Voccola who remains a key figurehead at the firm as it enters its next chapter...
-
Hackers are using Zoom’s remote control feature to infect devices with malwareNews Security experts have issued an alert over a new social engineering campaign using Zoom’s remote control features to take over victim devices.
-
Hackers are duping developers with malware-laden coding challengesNews A North Korean state-sponsored group has been targeting crypto developers through fake coding challenges given as part of the recruitment process.
-
‘Phishing kits are a force multiplier': Cheap cyber crime kits can be bought on the dark web for less than $25 – and experts warn it’s lowering the barrier of entry for amateur hackersNews Research from NordVPN shows phishing kits are now widely available on the dark web and via messaging apps like Telegram, and are often selling for less than $25.
-
Seized database helps Europol snare botnet customers in ‘Operation Endgame’ follow-up stingNews Europol has detained several people believed to be involved in a botnet operation as part of a follow-up to a major takedown last year.
-
This potent malware variant can hijack your Windows PC, steal passwords, and more: Neptune RAT is spreading on GitHub, Telegram, and even YouTube – and experts warn 'anyone could use it to launch attacks'News Neptune RAT can hijack Windows PCs and steal passwords – and it's spreading fast
-
Warning issued over ‘fast flux’ techniques used to obscure malicious signals on compromised networksNews Cybersecurity agencies have issued a stark message that too little is being done to sniff out malware hiding in corporate networks
-
Fake file converter tools are on the rise – here’s what you need to knowNews The FBI has issued an alert over the rise of fake file converter tools available online after observing a spate of scams and ransomware attacks.
-
Forget MFA fatigue, attackers are exploiting ‘click tolerance’ to trick users into infecting themselves with malware
News Threat actors are exploiting users’ familiarity with verification tests to trick them into loading malware onto their systems, new research has warned.
