"Sonatype Reports 156% Increase in OSS Malicious Packages"

According to security researchers at Sonatype, as open-source software (OSS) consumption soars, there has been a 156% surge in open-source malware.  The security researchers stated that more than 704,102 malicious packages have been identified since 2019, and 512,847 of these have been discovered since November 2023.  The researchers noted that this year has been a record-breaking year for open-source consumption, reaching an estimated 6.6 trillion downloads.  JavaScript (npm) accounted for a staggering 4.5 trillion requests in 2024, representing 70% year-over-year growth in requests.  Npm is a package manager for the JavaScript programming language, and PyPI a package manager for Python.  The researchers stated that organizations continue to struggle with efficient risk mitigation and noted that open-source or commercial software will eventually have bugs that evolve into vulnerabilities.  Despite more than 99% of packages having updated versions available, 80% of application dependencies remain un-upgraded for over a year.  In addition, 95% of the time, a fixed version already exists when vulnerable components are consumed.

Infosecurity Magazine reports: "Sonatype Reports 156% Increase in OSS Malicious Packages"