The growth of open source malware has continued apace in 2024, according to new research, with cyber criminals taking advantage of the proliferation of open source software.
A report from software supply chain management firm Sonatype found there was a 156% increase in malicious packages identified on open source repositories over the past year.
Sonatype has identified 778,529 malicious open source packages since it began tracking them in 2019, which it noted was an increase of 70,000 since its annual report was published in October.
Open source malware are malicious packages that disguise themselves as legitimate open source software (OSS) to infiltrate software supply chains.
The three distinct characteristics of open source malware listed in the report were their intentional insertion into open source repositories for malicious purposes, their specific targeting of developers, and ability to evade conventional detection methods.
Sonatype said this approach is able to circumvent traditional security measures and poses a unique threat to enterprises.
“This unique distribution method — compromised open source repositories — exploits gaps in dependency management tooling and development build pipelines, bypassing conventional security mechanisms in order to attack software developers directly,” the report warned.
Npm accounts for over 98% of malicious open source packages
Sonatype noted that software repositories like npm and PyPI process trillions of open source package requests each year, featuring a publishing model that is designed to ensure speed of delivery with the aim of helping foster agile development and innovation.
The unintended consequence of this model is that it makes it far easier for hackers to smuggle their malicious packages onto the platforms unnoticed.
For example, the report noted that npm, the world’s largest JavaScript package registry, was disproportionately impacted by the plague of malicious packages.
Overall, npm accounted for 98.5% of the malicious packages identified by Sonatype over the course of 2024; whereas PyPI, the official package repository for Python, represented just 1% of open source malware Sonatype detected.
RELATED WHITEPAPER
In total, Sonatype found over 540,000 malicious components hosted on npm, dwarfing the roughly 5,000 malicious assets identified on PyPI.
Sonatype said the ease of publishing on npm, which allows devs to publish packages with minimal verification, means they can “upload malicious components quickly and at scale”.
The report added that npm has been a victim of surges of spam packages in recent years.
A significant proportion of this spam looks to simply monetize a high volume of downloads using protocols like Tea.xyz, whereas others are seeking to embed malware into projects for more nefarious purposes.
Finally, the sheer scale of demand on the npm platform, which will have received an expected 4.5 trillion requests in 2024 – up 70% compared to 2023 – makes it an ideal target for threat actors looking to maximize their impact.
Speaking to ITPro, Steve Sandford, partner and head of digital forensics & incident response at CyXcel, outlined why npm is drawing the attention of cyber criminals over other popular open source repositories, and what businesses should be doing to mitigate the threat.
“The rise of open source malware is a growing concern as open source software becomes more integral to enterprise IT. NPM is a popular target due to its dominance and high download volume, with minimal verification processes allowing malicious actors to introduce compromised packages easily,” he explained.
“In contrast, PyPI has a smaller user base. As technology evolves and uses increase, the threat of malware will likely grow. To mitigate these threats, enterprises should implement automated scanning tools, maintain an updated inventory of open source components, ensure regular updates and patching, conduct security assessments, train employees, and develop an incident response plan.”
Over 15 billion unvetted shadow downloads in 2024
But the report added that it discovered a large number of malicious packages that were bypassing repository managers altogether, and were being directly downloaded onto dev machines or shared build infrastructures.
Referred to as shadow downloads, Sonatype defines this trend as open source components taken from a public repository but bypassing the artifact repository manager.
“This practice introduces unvetted and unobservable dependencies into projects, bypassing established governance, review, and security processes," Sonatype explained
“While precise numbers vary by organization, recent insights indicate a surprising percentage in production environments originated from shadow downloads, escaping security review entirely.”
Sonatype warned that shadow downloads, which saw a 15.6 billion increase in downloads between December 2023 and November 2024, undermine software supply chain vulnerabilities in several ways.
Firstly the lack of visibility of shadow downloads means they often go unnoticed, making it far more difficult to manage updates.
Secondly, they expose systems to unvetted components, increasing the likelihood of introducing malicious packages, such as those associated with dependency confusion or typosquatting, Sonatype added.
Finally, bypassing repository managers means organizations no longer have the ability to enforce policies, such as release integrity checks or vulnerability scans, on the components.
-
TPUs: Google's home advantageITPro Podcast How does TPU v7 stack up against Nvidia's latest chips – and can Google scale AI using only its own supply?
-
Microsoft Excel is still alive and kicking at 40News A recent survey found Gen Z and Millennial finance professionals have a strong “emotional attachment” to Microsoft Excel
-
Chinese hackers are using ‘stealthy and resilient’ Brickstorm malware to target VMware servers and hide in networks for months at a timeNews Organizations, particularly in the critical infrastructure, government services, and facilities and IT sectors, need to be wary of Brickstorm
-
The Scattered Lapsus$ Hunters group is targeting Zendesk customers – here’s what you need to knowNews The group appears to be infecting support and help-desk personnel with remote access trojans and other forms of malware
-
Shai-Hulud malware is back with a vengeance and has hit more than 19,000 GitHub repositories so far — here's what developers need to knowNews The malware has compromised more than 700 widely-used npm packages, and is spreading fast
-
The US, UK, and Australia just imposed sanctions on a Russian cyber crime group – 'we are exposing their dark networks and going after those responsible'News Media Land offers 'bulletproof' hosting services used for ransomware and DDoS attacks around the world
-
Europol hails triple takedown with Rhadamanthys, VenomRAT, and Elysium sting operationsNews The Rhadamanthys infostealer operation is one of the latest victims of Europol's Operation Endgame, with more than a thousand servers taken down
-
Hackers are using these malicious npm packages to target developers on Windows, macOS, and Linux systems – here’s how to stay safeNews Security experts have issued a warning to developers after ten malicious npm packages were found to deliver infostealer malware across Windows, Linux, and macOS systems.
-
Cisco ASA customers urged to take immediate action as NCSC, CISA issue critical vulnerability warningsNews Cisco customers are urged to upgrade and secure systems immediately
-
Hackers are disguising malware as ChatGPT, Microsoft Office, and Google Drive to dupe workersNews Beware of downloading applications like ChatGPT, Microsoft Office applications, and Google Drive through search engines
