Preparing for The Next-Generation of Software Supply Chain Attacks


By Ax Sharma, Security Researcher and Advocate, Sonatype

Legacy open source software supply chain "exploits," such as the now famous Struts incident at Equifax, prey on publicly disclosed open source vulnerabilities and PLC exploits that are left unpatched in the wild.

Conversely, "next generation" software supply chain attacks are far more sinister because bad actors are no longer waiting for public vulnerability disclosures. Instead, they are taking the initiative and actively injecting malicious code into open source projects that feed the global supply chain. By shifting their focus "upstream," bad actors are taking the initiative to contribute code to open source projects and then - unbeknownst to the other OSS project maintainers - injecting malicious code. Those code changes then make their way into open source projects that feed the software supply chains of developers around the world.

A fairly recent example of the most common type of these novel attacks, typosquatting and brand-jacking malware, was a fake npm package that was created and named after the popular cloud communications provider Discord, and opened a reverse shell as soon as it was installed. So, imagine a developer installs this npm package thinking it relates to Discord and as soon as it's installed it automatically launches a reverse shell script and now has access to everything. We've seen a few of the malicious components target Discord app developers because of how popular a platform it is.

These novel attacks are possible for a few reasons -

  1. Open source projects rely on contributions from thousands of volunteer developers, and discriminating between community members with good or malicious intent is difficult, if not impossible.
  2. Open source projects themselves typically incorporate hundreds — if not thousands — of dependencies from other open source projects, which may contain known vulnerabilities. While some open source projects demonstrate great hygiene, many others do not. But, even the best ones may have something sneak through.
  3. The sheer volume of open source in use and the massive number of dependencies makes it difficult to quickly evaluate the quality and security of every new version of a dependency.
  4. The ethos of open source is built on "shared trust" between a global community of individuals, which creates a fertile environment whereby bad actors can prey upon good people with surprising ease.

Next-gen supply-chain attacks expected to evolve and grow

We saw these types of attacks growing at an alarming rate in 2019 and 2020. In fact, Sonatype's 2020 State of the Software Supply Chain found a 430% increase in upstream software supply chain attacks over the past year. And, since then, Sonatype has found more than 12,000 suspicious and malicious packages just in the npm ecosystem.

Keeping the above in mind, it is virtually impossible to manually chase and keep track of such components. The only path forward is automating your software supply chain management, and creating software bills of materials to know exactly what's in your software. We've put a lot of effort into creating an easy to use platform at Sonatype that can do just that. Sonatype's world-class security research data, combined with our automated malware detection technology safeguards your developers, customers, and software supply chain from infections.

Sustaining Partners