The year 2021 saw a significant increase in software supply chain threats. Attacks surged by more than 300 percent in 2021 compared to 2020, according to a report by Argon Security. The use of Log4J and the VSA tool were used in some of the most well-known assaults.
Apart from that, there was an increase in the criminal usage of open-source software repositories, which allowed threat actors to access a software vendor’s network and utilise malicious code to launch additional assaults. Since February, Sonatype has discovered an increase in malicious packages penetrating several open source repositories, indicating that this trend is still a substantial concern.
Open-source repositories are being targeted.
Researchers from Sonatype discovered hundreds of counterfeit packages in the npm and PyPI repositories at the beginning of March, which were utilised to execute Remote Access Trojans (RATs).
To exfiltrate basic information such as username, hostname, IP addresses, and OS information, over 130 typosquatting packages named after prominent companies, websites, and projects were added into the npm repository.
Aside from that, eight malicious PyPI packages targeted Azure developers and environments using dependency misunderstanding attacks.
More assaults have been detected.
- A set of more than 200 malicious npm packages was discovered targeting Microsoft Azure developers in order to steal their Personally Identifiable Information in another incident (PII).
- The assault was directed at the @azure npm scope as a whole. To remain undetected, the attackers utilised an automated script to establish accounts, which they also used to upload malware packages.
- Chechmarx recently issued a warning on completely automated npm supply chain assaults that injected hundreds of malicious packages into npm systems.
- This was the work of RED-LILI, a threat actor. To launch difficult-to-detect dependency confusion attacks, the attacker had fully automated the process of creating a npm account.
- The threat actor, according to Checkmarx, is still active and continues to distribute malicious packages.
The fact that open-source software is becoming a prime target for software supply chain hacks is a harsh truth. To avoid such sophisticated assaults, firms should strengthen the security of their software development process. Furthermore, developers that use open-source software must only download code from legitimate upstream sources to avoid being attacked by malicious source code.