Today’s attackers aren’t just exploiting vulnerabilities — research from Malicious Packages Special Report: Attacks Move Beyond Vulnerabilities illustrates the growing threat of malicious packages. According to the report, the number of malicious packages published to npm and rubygems alone grew 315 percent from 2021 to 2022.
“Understanding the potential threats out there is just as important as maintaining software best practices, including updating software dependencies regularly, tracking components being implemented into your software, and doing continual software testing,” said Rami Sass, CEO and co-founder, Mend.io. “As long as open source means open, the door’s left open to bad actors, which is why it’s critical to know when things are being brought into your code. Malicious packages represent an immediate threat, unlike vulnerabilities, and can not be taken lightly.”
Unfortunately, the fox is already in the henhouse at many companies. Using its latest feature enhancement, 360° Malicious Package Protection, Mend.io detected thousands of malicious packages in existing code bases. The top four malicious package risk vectors were exfiltration, developer sabotage, protestware, and spam. Nearly 85 percent of malicious packages discovered in existing applications were capable of exfiltration – causing an unauthorized transmission of information. Threat actors leveraging this type of package can easily collect protected information before the package is discovered and removed.
While less than four percent of packages were protestware, the trend gained a lot of attention over the past year with incidents of protestware connected to the Russia and Ukraine war. Global enterprises should be wary of this risk, as it will certainly evolve and mature as other conflicts arise.
When it comes to applications, threat actors are always quick to jump on new attack methods, and they clearly see malicious packages as a golden opportunity. Alongside this, there’s been a jump in monthly attacks between 2021 to 2022, as Mend.io research noted a sharp increase in overall numbers starting in October 2021. Case in point: 13 attacks were detected in January 2021, while 530 were detected in January 2022, a 190 percent increase. January 2023 numbers create even more concern, as several spam attacks pushed the monthly tally to 59,919.
“The issue of malicious packages is only going to continue to grow, as the year over year trend shows. Detection of malicious open source software and prevention of it entering registries and repositories is critical, on top of exposing lurking packages living in existing code of built and released applications,” said Jeffrey Martin, VP product management, Mend.io. “We recognize the importance and value of this to our customers, and in fact, we launched a feature that detects malicious packages within existing applications. At Mend, we provide a complete solution that enables companies to face the challenge of malicious packages head on by enabling identification of those already in your code base plus the ability to proactively and automatically block new malicious packages from entering your code base.”
The report examines data from the 360 degree protection feature within Mend.io Software Composition Analysis (SCA) as well as data from Mend.io Supply Chain Defender, a solution that helps enterprises defend the software supply chain. Supply Chain Defender has scanned almost 12.6 million packages since 2020.