Security experts have warned of surging cyber risk in open source ecosystems, having detected three times more malicious packages in 2023 than last year.
Sonatype’s 9th Annual State of the Software Supply Chain Report is compiled from proprietary and public data and analysis including dependency update patterns for more than 400 billion Maven Central downloads.
The vendor detected 245,032 malicious packages in 2023, which amounts to twice as many software supply chain attacks as during the period 2019-2022.
It’s not just deliberate malicious activity that is posing a threat to organizations that download these components to accelerate time-to-value.
The report also revealed that 2.1 billion open source downloads with known vulnerabilities in 2023 could have been avoided because a better, fixed version was available. That amounts to a share of 96% – the same as a year ago.
Nearly a quarter (23%) of Log4j downloads are still of critically vulnerable versions, despite a fix being released for the utility almost two years ago.
Sonatype estimated that over two-thirds (65%) of all vulnerable downloads in 2022 contained a high or critical-severity vulnerability.
Read more on open source threats: Open Source Supply Chain Attacks Surge 430%.
A lack of awareness may be partly to blame. Two-thirds (67%) of respondents to a Sonatype poll said they were confident their applications do not rely on known vulnerable libraries. Yet, nearly 10% of also claimed they had experienced security breaches due to open source vulnerabilities in the past 12 months.
Nearly a third (29%) take over a week to discover vulnerabilities and an even bigger share (36%) of respondents require over a week to mitigate them.
Sonatype argued that although only 11% of open source projects are “actively maintained” over time, it is developers rather than open source maintainers that need to be more risk aware.
“A lot of maintainers are very diligent – Big Tech companies go out of their way to hire talented people to maintain libraries they rely on,” said Brian Fox, CTO at Sonatype.
“Our industry needs to direct its efforts towards the right place. The fact that there’s been a fix for almost all downloads of components with a known vulnerability tells us an immediate focus should be supporting developers to become better decision-makers, and giving them access to the right tools.”
He argued that developers need help to ensure they download components only from projects with the most maintainers and the healthiest ecosystem of contributors – to mitigate risk and recoup wasted effort.
The report revealed that, although the open source download growth rate has stuck at 33% for the past two years, over four trillion components will be downloaded in 2023.