Software Supply Chain Attacks Leveraging Open-Sources Repos Growing

After an exponential increase in supply chain attacks between 2020 and early 2022, businesses saw a slower but steady rise throughout 2022, according to ReversingLabs’ report, The State of Software Supply Chain Security, published on December 5, 2022.

ReversingLabs based their research on the number of malicious packages uploaded on open-source repositories such as npm, PyPi and Ruby Gems.

The company noted that show truly comprehensive data on supply chain attacks is “virtually impossible” because of the sophistication of applications used by organizations, as well as “the absence of a governing body responsible for monitoring the security and integrity of development organizations”.

Although data on the repositories give a limited view on how threat actors are leveraging software vulnerabilities, they are telling and can point towards “a possible ‘canary in the coal mine’ indicating that more sophisticated, harder-to-detect attacks may be out there,” the report reads.

“Our analysis of supply chain attacks like IconBurst and Material Tailwind shows that malicious actors are increasingly trying to leverage trust in open-source software to plant malicious code within organizations. Why? Because they don’t want to reinvent the wheel,” Tomislav Pericin, ReversingLabs’ Co-founder and Chief Software Architect, told Infosecurity.

“The speed of devops, with hundreds, sometimes thousands, of releases a day creates this ecosystem of the unknown, and they trying to move as fast as possible. They leverage these open-source packages, or APIs, and then the software publisher propagates them through new releases of the software, or updates,” he said.

Npm, for example, saw close to 7000 malicious package uploads from January to October 2022, accounting for a nearly 100 times increase over the 75 malicious packages discovered in 2020 and 40% increase over all packages discovered in 2021.

Malicious npm packages represented 66.7% of all malicious packages analyzed by ReversingLabs.

In contrast, the PyPi repository saw a nearly 60% decrease in malicious package uploads over the last year, going from 1493 packages in 2021 to 3685 in 2022. But malicious activity since 2020 is still up more than 18,000% over 2020, when just eight malicious packages were detected, and several peaks were identified over the summer of 2022.

The attacks have increased the focus on software supply chain security.

Following the issuance of the Biden administration’s May 2021 Executive Order on Improving the Nation’s Cybersecurity (EO 14028), the past year saw new federal guidance for tightening supply chain security, including:

• A practice guide for software suppliers to the federal government issued by the Enduring Security Framework (ESF) Software Supply Chain Working Panel
• A memorandum from the Office of Management and Budget (M-22-18) that requires software firms to attest to the security of software and services they license to Executive Branch agencies.

“In the coming year, software publishers with federal contracts will need to clear higher bars for software security to meet the new guidelines, including having to attest to the security of their code and — in some cases — produce software bills of materials (SBOMs) that provide a roadmap for tracking down supply chain threats,” the report reads.

According to Pericin, “while being left to the side for a long time, software supply chain security is going to become commonplace, just other application security testing technologies such as static application security testing (SAST), dynamic application security testing (DAST), software composition analysis and API security scanning.”