Can you trust open-source? Repositories increasingly contain malware, analysts warn


Dependence on open-source repositories has sparked a surge in malicious packages infiltrating software products, software supply chain security company Sonatype has warned.

After analyzing over seven million open-source projects, researchers found malware in seven percent of the packages. Malicious packages often lurk in ecosystems such as JavaScript (npm) and Python (PyPI).

“Over 512,847 malicious packages have been logged just in the past year, a 156% increase year-over-year, highlighting a critical need for organizations to adapt their consumption practices,” Sonatype warns.

ADVERTISEMENT

Up to 90% of modern software now relies on open-source components. This year alone, such packages were downloaded more than 6.6 trillion times. Yet, out of over seven million available packages, only 10.5% of open code is actively used in development.

The most notorious attempt to weaponize open-source software was a supply chain attack on XZ Utils, a widely used compression library. Attackers played a year-long game trying to gain trust and contribute new code, which was discovered to be malicious days before the official release. Due to some luck, the global infiltration of Linux devices and enterprises was averted.

There are many more examples of open-source code containing LUMMA infostealer or other malicious packages.

“Examples such as the LUMMA malware found in PyPI and the XZ Utils package backdoor highlight the growing sophistication of these attacks, which often bypass traditional security measures, leaving organizations vulnerable,” the report warns.

Moreover, the repositories are ridden with a “combination of unfixed and corrosive vulnerabilities.”

“80% of application dependencies remain un-upgraded for over a year, even though 95% of these vulnerable versions have safer alternatives readily available. It’s not a matter of ‘if’ a breach will occur, but ‘when,’” the report reads.

Sonatype found that many bugs in open-source packages persist for years, and updates can bring another insecure version. An average application contains 180 components, and even the smallest apps can be affected by unmanageable dependencies.

For example, 13% of Log4j downloads remain vulnerable three years after the Log4Shell vulnerability was exposed.

ADVERTISEMENT

Malware disguised as open-source comes in many types. Most of them are potentially unwanted applications (46.6%) bringing functionalities no one asked for, such as protestware, or anti-work protests.

Phishing packages are the second largest type (13.8%). Pretending to be a legitimate package, they trick into downloading and often dropping malware. Around 13.7% of malicious packages were capable of data exfiltration, followed by so-called Security Holding Packages that have no content (12.7%). The Security Holding Packages mark removed malicious packages and served as a “warning flag” for developers, signaling that the previous version was harmful.

Researchers also discovered packages containing personally identifiable information exfiltration capabilities, backdoors, crypto stealers, and miners.

Open-source malware contaminates the digital supply chain, undermining the security and stability of systems. Traditional malware scanners often struggle to detect these threats.