Almost two years after word of the SolarWinds hack first spread, software supply chain attacks show no sign of abating. In the commercial sector, attacks that leverage malicious, open source modules continue to multiply. Enterprises saw an exponential increase in supply chain attacks since 2020, and a slower, but still steady rise in 2022. The popular open source repository npm, for example, saw close to 7,000 malicious package uploads from January to October of 2022 — a nearly 100 times increase over the 75 malicious packages discovered in 2020 and 40% increase over the malicious packages discovered in 2021. The Python Package Index (PyPi) was also flooded with tainted open source modules designed to mine cryptocurrency and plant malware, among other things. These attacks were consistent with what researchers observed in 2021, when attackers commonly used techniques such as dependency confusion and typosquatting. As in previous years, high-profile organizations including Samsung and Toyota found themselves embarrassed by secrets exposed through open source repositories that were maintained internally or by third-party contractors. The attacks have increased the focus on… ...

Join for free to read