"Upstream Supply Chain Attacks Triple in a Year"

Security experts at Sonatype have warned of surging cyber risk in open-source ecosystems, having detected three times more malicious packages in 2023 than last year.  The vendor detected 245,032 malicious packages in 2023, which amounts to twice as many software supply chain attacks as during the period 2019-2022.  Sonatype noted that it is not just deliberate malicious activity that is posing a threat to organizations that download these components to accelerate time-to-value.  The company revealed that 2.1 billion open-source downloads with known vulnerabilities in 2023 could have been avoided because a better, fixed version was available.  Sonatype stated that nearly a quarter (23%) of Log4j downloads are still of critically vulnerable versions, despite a fix being released for the utility almost two years ago.  Sonatype estimated that over two-thirds (65%) of all vulnerable downloads in 2022 contained a high or critical-severity vulnerability.  Sonatype noted that a lack of awareness may be partly to blame.  Two-thirds (67%) of respondents to a Sonatype poll said they were confident their applications do not rely on known vulnerable libraries.  Yet, nearly 10% also claimed they had experienced security breaches due to open-source vulnerabilities in the past 12 months.  Nearly a third (29%) of respondents take over a week to discover vulnerabilities, and an even bigger share (36%) of respondents require over a week to mitigate them.  Sonatype argued that although only 11% of open-source projects are “actively maintained” over time, developers, rather than open-source maintainers, need to be more risk aware.

Infosecurity reports: "Upstream Supply Chain Attacks Triple in a Year"