Sonatype reveals shocking numbers of malicious threats in open-source software supply chain

The newly published annual State of the Software Supply Chain report from Sonatype has landed. Frankly, it makes for troublesome reading. I’m not just talking about the shocking headline statistic: the 245,000 malicious packages discovered is more than double the combined total of all previous years since 2019.

Digging deeper reveals even more concerning numbers.

Aaron Linskens, part of Sonatype’s developer relations team, points out that while patches have been available for a couple of years now, “23% of Log4j downloads [are] critically vulnerable versions”.

Across 2022, Linskens continues, “we saw that 12% of downloads, roughly 1 in 8 of all components served by Maven Central, contained a known security vulnerability”. Maven Central is the largest single public repository for Java open-source components.

As if these numbers aren’t concerning enough, “nearly 96% of component downloads with known vulnerabilities could be avoided by selecting a non-vulnerable version”.

Would you pass a Cyber Essentials audit? Here’s why hackers hope not

Two stats that highlight malicious package threats

The surging security risk of using open-source libraries, as evidenced by the Sonatype analysis of more than 400 billion downloads from Maven Central, is best highlighted by just two statistics.

• 67% of survey respondents felt confident that their applications didn’t rely upon vulnerable libraries…
• …yet 10% reported their organisations had suffered a security incident due to just that across the previous 12 months

It would be easy to lay the blame at the door of project maintainers, but that kind of buck-passing doesn’t withstand scrutiny. So, while one in five projects stopped being maintained last year, impacting both Java and JavaScript systems, that’s far from the complete risk picture.

For example, don’t think that maintained projects guarantee security. According to Linskens, “maintained projects have a slightly lower incidence of vulnerability”, but the key phrase there is “slightly lower”.

As Brian Fox, Sonatype’s CTO, says: “Our industry needs to direct its efforts towards the right place.

“The fact that there’s been a fix for almost all downloads of components with a known vulnerability tells us an immediate focus should be supporting developers on becoming better decision-makers and giving them access to the right tools.

“The goal is to help developers be more intentional about downloading open-source software from projects with the most maintainers and the healthiest ecosystem of contributors.”

External view on malicious threats in open-source software

Craig Harber, a security evangelist with Open Systems, finds the report unsurprising but highly frustrating. “The lack of mature vulnerability management and patch management processes have been the Achilles heel of most agencies and organisations for as long as I can remember,” he says.

Arguing that real leadership is needed for change, Harber concludes that it’s got to be more than drafting regulations and guidance.

“Investments are needed in automation and AI-driven decision support tools to enable IT teams to do their jobs effectively. System owners and stakeholders need to be held accountable if they fail to provide the IT teams the necessary direction and tools to be successful.”

Related reading

• LockBit ransomware: its history, its present and why you must be ready for it
• AI chatbots a security risk due to LLMs, says UK’s National Cyber Security Centre