Highlight:
- The study focuses on how businesses are now paying closer attention to how safe the software supply chain is, owing to the growing attacks.
- The report states that the hackers’ favorite is the popular open-source repository, the Node Package Manager.
According to a new analysis by Reversing Labs Inc., software supply chain threats have neither slowed nor abated nearly two years after the SolarWinds Worldwide LLC hack.
According to the research, assaults utilizing malicious open-source modules have continued to spread in the commercial sector.
Since 2020, enterprises have witnessed an exponential spike in supply chain attacks, followed by a slower but consistent increase in 2022.
Node Package Manager, a prominent open-source repository, is a favorite among hackers.
From January through October, npm detected almost 7,000 fraudulent package uploads, a nearly 100-fold increase from the 75 malicious packages recorded in 2020 and a 40% rise from 2021.
One such attack, detailed by Reversing Labs in August, involved more than two dozen npm packages that contain obfuscated JavaScript.
The packages were designed to steal data from individuals using applications or websites where the malicious packages had been deployed.
The Python Package Index, or PyPi, was also discovered to be overrun by contaminated open-source modules made, among other things, to mine cryptocurrencies and spread malware.
The attacks were in line with what researchers saw in 2021, when typosquatting techniques and dependency confusion were frequently employed by attackers. The secrets revealed through open-source repositories kept internally or by outside contractors embarrassed renowned companies like Toyota Motor Co. and Samsung Electronics Co. Ltd.
The research emphasizes that such attacks have heightened attention on the security of software supply chain.
In the year since the Biden Administration’s Executive Order on Enhancing the Nation’s Cybersecurity was issued in May 2021, the federal government has issued new advice for enhancing supply chain security.
The Enduring Security Framework Software Supply Chain Working Panel has developed a practice guide for federal government software suppliers for several executive orders and initiatives.
In September, the Office of Management and Budget also issued a memorandum requiring software companies to certify the security of software and services they license to Executive Branch agencies.
The paper concludes that, in the future, software publishers with federal contracts will need to fulfill higher standards for software security to comply with the new requirements.
The higher standards include attesting to the code’s security and, in some cases producing software bills of materials that give a road map for identifying supply chain vulnerabilities.
The report’s authors concluded, “Given that the threat of supply chain attacks goes beyond publishers that sell to the federal government, all organizations that develop software will need to take similar steps to keep ahead of these threats.”