New Report on Malicious Packages Shows Exponential Threat of Application Infiltration
TEL AVIV, Israel and BOSTON – April 11, 2023 – Mend.io, a leader in application security, released findings today from its latest report “Malicious Packages Special Report: Attacks Move Beyond Vulnerabilities” which illustrates the growing threat of malicious packages. From 2021 to 2022, the number of malicious packages published to npm and rubygems alone grew 315 percent. Unlike vulnerabilities, which can and do often exist for months or years in application code without being exploited, a malicious package represents an immediate threat to an organization, intentionally designed to do harm. In the war for cybersecurity, attackers are innovating faster than companies can keep up with the threats coming their way. A new approach is needed to stay ahead of the impacts of malicious packages within applications.
What’s Living in Your Code Base?
Using its latest feature enhancement, 360° Malicious Package Protection, Mend.io detected thousands of malicious packages in existing code bases. The top four malicious package risk vectors were exfiltration, developer sabotage, protestware, and spam. Nearly 85 percent of malicious packages discovered in existing applications were capable of exfiltration – causing an unauthorized transmission of information. Threat actors leveraging this type of package can easily collect protected information before the package is discovered and removed.
“Understanding the potential threats out there is just as important as maintaining software best practices, including updating software dependencies regularly, tracking components being implemented into your software, and doing continual software testing,” said Rami Sass, CEO and co-founder, Mend.io. “As long as open source means open, the door’s left open to bad actors, which is why it’s critical to know when things are being brought into your code. Malicious packages represent an immediate threat, unlike vulnerabilities, and cannot be taken lightly.”
While less than four percent of packages were protestware, the trend gained a lot of attention over the past year with incidents of protestware connected to the Russia and Ukraine war. Global enterprises should be wary of this risk, as it will certainly evolve and mature as other conflicts arise.
When it comes to applications, threat actors are always quick to jump on new attack methods, and they clearly see malicious packages as a golden opportunity. Alongside this, there’s been a jump in monthly attacks between 2021 to 2022, as Mend.io research noted a sharp increase in overall numbers starting in October 2021. Case in point: 13 attacks were detected in January 2021, while 530 were detected in January 2022, a 190 percent increase. January 2023 numbers create even more concern, as several spam attacks pushed the monthly tally to 59,919.
“The issue of malicious packages is only going to continue to grow, as the year over year trend shows. Detection of malicious open source software and prevention of it entering registries and repositories is critical, on top of exposing lurking packages living in existing code of built and released applications,” said Jeffrey Martin, VP product management, Mend.io. “We recognize the importance and value of this to our customers, and in fact, we launched a feature that detects malicious packages within existing applications. At Mend, we provide a complete solution that enables companies to face the challenge of malicious packages head on by enabling identification of those already in your code base plus the ability to proactively and automatically block new malicious packages from entering your code base.”
About the Report
The report examines data from the 360 degree protection feature within Mend.io Software Composition Analysis (SCA) as well as data from Mend.io Supply Chain Defender, a solution that helps enterprises defend the software supply chain. Supply Chain Defender has scanned almost 12.6 million packages since 2020.
To download a full copy of the report, visit here.
Mend.io, formerly known as WhiteSource, has over a decade of experience helping global organizations build world-class AppSec programs that reduce risk and accelerate development -– using tools built into the technologies that software and security teams already love. Our automated technology protects organizations from supply chain and malicious package attacks, vulnerabilities in open source and custom code, and open-source license risks. With a proven track record of successfully meeting complex and large-scale application security needs, Mend.io is the go-to technology for the world’s most demanding development and security teams. The company has more than 1,000 customers, including 25 percent of the Fortune 100, and manages Renovate, the open source automated dependency update project. For more information, visit www.mend.io, the Mend.io blog, and Mend.io on LinkedIn and Twitter.
Guyer Group for Mend.io