Malicious packages in open-source repositories are surging | CyberScoop<\/title> <meta name=\"description\" content=\"The open-source ecosystem is being overrun by malicious packages, a new report from Sonatype finds.\"> <link rel=\"canonical\" href=\"https:\/\/cyberscoop.com\/open-source-security-supply-chain-sonatype\/\"> <meta property=\"og:locale\" content=\"en_US\"> <meta property=\"og:type\" content=\"article\"> <meta property=\"og:title\" content=\"Malicious packages in open-source repositories are surging\"> <meta property=\"og:description\" content=\"The open-source ecosystem is being overrun by malicious packages, a new report from Sonatype finds.\"> <meta property=\"og:url\" content=\"https:\/\/cyberscoop.com\/open-source-security-supply-chain-sonatype\/\"> <meta property=\"og:site_name\" content=\"CyberScoop\"> <meta property=\"article:published_time\" content=\"2024-10-10T21:42:10+00:00\"> <meta property=\"article:modified_time\" content=\"2024-10-10T21:42:11+00:00\"> <meta property=\"og:image\" content=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/10\/malicious-packages-in-open-source-repositories-are-surging-2.jpg\"> <meta property=\"og:image:width\" content=\"1920\"> <meta property=\"og:image:height\" content=\"858\"> <meta property=\"og:image:type\" content=\"image\/jpeg\"> <meta name=\"author\" content=\"Christian Vasquez\"> <meta name=\"twitter:card\" content=\"summary_large_image\"> <meta name=\"twitter:creator\" content=\"@chrismvasq\">  <link rel=\"dns-prefetch\" href=\"\/\/securepubads.g.doubleclick.net\">\n<link rel=\"dns-prefetch\" href=\"\/\/use.typekit.net\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Feed\" href=\"https:\/\/cyberscoop.com\/feed\/\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Comments Feed\" href=\"https:\/\/cyberscoop.com\/comments\/feed\/\"> <link rel=\"stylesheet\" id=\"all-css-2\" href=\"https:\/\/cyberscoop.com\/wp-includes\/css\/dist\/block-library\/style.min.css?m=1725982252g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-6\" href=\"https:\/\/cyberscoop.com\/wp-content\/mu-plugins\/search\/elasticpress\/dist\/css\/related-posts-block-styles.min.css?m=1725466133g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-8\" href=\"https:\/\/cyberscoop.com\/wp-content\/themes\/scoopnewsgroup\/dist\/css\/frontend.css?m=1728570921g\" type=\"text\/css\" media=\"all\">\n<link rel=\"stylesheet\" id=\"typekit-css\" href=\"https:\/\/use.typekit.net\/itk2qbh.css?ver=ada0ad45b21fc79c6694\" media=\"all\"> <link rel=\"https:\/\/api.w.org\/\" href=\"https:\/\/cyberscoop.com\/wp-json\/\"><link rel=\"alternate\" title=\"JSON\" type=\"application\/json\" href=\"https:\/\/cyberscoop.com\/wp-json\/wp\/v2\/posts\/82093\"><link rel=\"EditURI\" type=\"application\/rsd+xml\" title=\"RSD\" href=\"https:\/\/cyberscoop.com\/xmlrpc.php?rsd\">\n<meta name=\"generator\" content=\"WordPress 6.6.2\">\n<link rel=\"shortlink\" href=\"https:\/\/cyberscoop.com\/?p=82093\">\n<link rel=\"alternate\" title=\"oEmbed (JSON)\" type=\"application\/json+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fopen-source-security-supply-chain-sonatype%2F\">\n<link rel=\"alternate\" title=\"oEmbed (XML)\" type=\"text\/xml+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fopen-source-security-supply-chain-sonatype%2F&format=xml\">   <link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=32\" sizes=\"32x32\">\n<link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=192\" sizes=\"192x192\">\n<link rel=\"apple-touch-icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=180\">\n<meta name=\"msapplication-TileImage\" content=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=270\"> <\/head><body class=\"post-template-default single single-post postid-82093 single-format-standard\" id=\"readabilityBody\"> <a href=\"https:\/\/cyberscoop.com\/open-source-security-supply-chain-sonatype\/#main\" class=\"skip-to-content-link visually-hidden-focusable\">Skip to main content<\/a> <\/p>\n<div class=\"ad ad--top ad--top-desktop\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p> <main id=\"main\" role=\"main\" tabindex=\"-1\"> <\/p>\n<div class=\"ad ad--top ad--top-mobile\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<section id=\"stickybar\" class=\"stickybar stickybar--newsletter js-stickybar\" readability=\"0.82\"> <button class=\"stickybar__close js-stickybar-close\" aria-controls=\"stickybar\"> <svg class=\"icon icon--close\" width=\"21\" height=\"22\" viewBox=\"0 0 21 22\" fill=\"none\"><path d=\"m.822.518-.805.805L9.695 11 .017 20.678l.805.805 9.678-9.678 9.677 9.678.806-.805L11.305 11l9.678-9.677-.806-.805-9.677 9.677L.822.518Z\" fill=\"currentColor\" \/><\/svg> <span class=\"visually-hidden\">Close<\/span> <\/button> <\/section>\n<article class=\"single-article content\">\n<div class=\"single-article__container js-single-article-content\">\n<header class=\"single-article__header \" readability=\"23.5\">\n<div class=\"single-article__header-content\" readability=\"28.285714285714\">\n<ul class=\"single-article__eyebrow\">\n<li class=\"single-article__category\"> <a class=\"single-article__category-link\" href=\"https:\/\/cyberscoop.com\/news\/cybersecurity\/\"> <span>Cybersecurity<\/span> <\/a> <\/li>\n<\/ul>\n<p> The open-source ecosystem is being overrun by malicious packages, a new report from Sonatype finds. <\/p>\n<p>   <\/div>\n<div class=\"single-article__cover-wrap\">\n<figure class=\"single-article__cover\"> <img data-recalc-dims=\"1\" fetchpriority=\"high\" width=\"640\" height=\"286\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/10\/malicious-packages-in-open-source-repositories-are-surging.jpg?resize=640%2C286&ssl=1\" class=\"single-article__cover-image wp-post-image\" alt decoding=\"async\" fetchpriority=\"high\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/10\/malicious-packages-in-open-source-repositories-are-surging-2.jpg 1920w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/10\/malicious-packages-in-open-source-repositories-are-surging-2.jpg?resize=300,134 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/10\/malicious-packages-in-open-source-repositories-are-surging-2.jpg?resize=768,343 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/10\/malicious-packages-in-open-source-repositories-are-surging-2.jpg?resize=1024,458 1024w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/10\/malicious-packages-in-open-source-repositories-are-surging-2.jpg?resize=1536,686 1536w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/10\/malicious-packages-in-open-source-repositories-are-surging-2.jpg?resize=600,268 600w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/10\/malicious-packages-in-open-source-repositories-are-surging-2.jpg?resize=1200,536 1200w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/10\/malicious-packages-in-open-source-repositories-are-surging-2.jpg?resize=1500,670 1500w\" sizes=\"(max-width: 1200px) 100vw, 1200px\"><figcaption> A laptop user typing at their keyboard. (Getty Images) <\/figcaption><\/figure>\n<\/p><\/div>\n<\/header>\n<div class=\"single-article__content\">\n<div class=\"single-article__content-inner has-drop-cap\"> <html readability=\"33.163689604685\"><body readability=\"66.956188039655\"><\/p>\n<p>The number of malicious packages found in the open-source ecosystem has dramatically grown in the past year, according to a <a href=\"https:\/\/www.sonatype.com\/state-of-the-software-supply-chain\/\">new report<\/a> from Sonatype.<\/p>\n<p>The cybersecurity firm found that the number of malicious packages intentionally uploaded into open-source repositories has jumped by more than 150% compared to last year. Open-source software, a transparent development process where almost anyone can contribute to the code and components, is the bedrock of the digital age that can be found in most modern digital technologies.<\/p>\n<p>Sonatype, a firm that specializes in the open-source supply chain, looked at more than 7 million open-source projects and found that more than 500,000 contained a malicious package.<\/p>\n<p>Vulnerabilities in open-source packages and the developers who maintain them have become a <a href=\"https:\/\/cyberscoop.com\/open-source-critical-infrastructure-def-con\/\">hot topic<\/a> following a spree of high-profile bugs and cyberattacks in recent years. Earlier this year, the maintainer of the data-compression tool XZ Utils was the focus of a <a href=\"https:\/\/cyberscoop.com\/open-source-security-trust-xz-utils\/\">yearslong campaign by hackers<\/a> with the aim of inserting a vulnerability that would have been found in Linux servers throughout the world.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>Brian Fox, co-founder and chief technology officer at Sonatype, said that attacks like XZ Utils show that malicious hackers \u201chave made the most strides\u201d in open source within the past decade.<\/p>\n<p>Fox said the \u201creal issue is the publishers and consumers\u201d of open-source software.<\/p>\n<p>Data from the report highlighted that developers and publishers have focused on quickly releasing features and publishing new versions such that security was tossed aside.<\/p>\n<p>\u201cWe could see a lot of projects have really improved their ability to release faster,\u201d Fox said. \u201cThat\u2019s not surprising; that is the state of modern software development. The disappointing part is while they\u2019re releasing faster, on average, it\u2019s taking longer to fix the vulnerabilities in their dependencies.\u201d<\/p>\n<p>But even when there is a fix, it is also taking longer to patch or mitigate, and Sonatype found that some major bugs like Log4Shell are still being downloaded years after discovery. The researchers found that 13% of Log4J downloads included vulnerable versions. <\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>Critical vulnerabilities used to take somewhere between 200 to 250 days to fix, but now can take up to 500 days before a new release, the report noted.<\/p>\n<p>Medium- and low-severity bugs saw an even more dramatic increase in mitigation time, taking more than 500 and in some cases 800 days or more before a patch was issued. The report shows that less than five years ago those numbers rarely exceeded 400.<\/p>\n<p>The report notes that the increase in time is showing that the software supply chain is reaching \u201ccritical points where publisher resources cannot keep pace with the rising volume of vulnerabilities.\u201d<\/p>\n<p>The melody of open-source ecosystems for each programming language can also create unique challenges to increase defenses, Sonatype reported. For instance, the popular package manager for the JavaScript runtime environment Node.js saw a dramatic increase in spam and cryptocurrency-based malicious packages within the past few years.<\/p>\n<p><\/body> <\/p>\n<footer class=\"single-article__footer\" readability=\"1.7491289198606\">\n<div class=\"author-card\" readability=\"9\">\n<div class=\"author-card__avatar\">\n<figure class=\"author-card__image-wrap\"> <img data-recalc-dims=\"1\" decoding=\"async\" class=\"author-card__image\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/10\/malicious-packages-in-open-source-repositories-are-surging-1.jpg?w=640&ssl=1\" alt=\"Christian Vasquez\"> <\/figure>\n<\/p><\/div>\n<p><h4 class=\"author-card__name\">Written by Christian Vasquez<\/h4>\n<p> Christian covers industrial cybersecurity for CyberScoop News. He previously wrote for E&E News at POLITICO covering cybersecurity in the energy sector. Reach out: christian.vasquez at cyberscoop dot com <\/p>\n<\/p><\/div>\n<div class=\"single-article__tags-container\">\n<h4 class=\"single-article__tags-title\">In This Story<\/h4>\n<\/p><\/div>\n<\/footer>\n<p> <\/html><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"single-article__ads js-single-article-sidebar\">\n<div class=\"ad ad--sidebar js-single-article-sidebar-5 ad--rightrail_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-4 ad--rightrail_2 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-3 ad--rightrail_3 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div><\/div>\n<\/article>\n<div class=\"popular-stories popular-stories--single-post\">\n<div class=\"popular-stories__container\">\n<h2 class=\"popular-stories__title\"> More Scoops <\/h2>\n<p>  <\/div>\n<p>\n<\/div>\n<p> <\/p>\n<section class=\"latest-podcasts\">\n<h2 class=\"latest-podcasts__title\"> Latest Podcasts\t<\/h2>\n<\/section>\n<div class=\"top-categories\">\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Government<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Technology<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Geopolitics<\/h3>\n<\/p><\/div>\n<\/p><\/div>\n<p> <\/main> <\/p>\n<div class=\"ad ad--bottom \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div id=\"interstitial\" class=\"welcome__container\"> <button id=\"close-modal-1\" class=\"welcome__clickable_area\"><\/button> <\/p>\n<div class=\"welcome__ad_wrapper\">\n<p> <button id=\"close-modal-3\" class=\"welcome__continue-button\">Continue to CyberScoop<\/button> <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<p>   <\/body> <a href=\"https:\/\/cyberscoop.com\/open-source-security-supply-chain-sonatype\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Malicious packages in open-source repositories are surging | CyberScoop Skip<\/p>\n","protected":false},"author":11,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[78,1073,1813,288,2281],"tags":[86,1076,1814,294,2283],"class_list":["post-5729","post","type-post","status-publish","format-standard","hentry","category-cybersecurity","category-open-source","category-supply-chain","category-threats","category-vulnerability","tag-cybersecurity","tag-open-source","tag-supply-chain","tag-threats","tag-vulnerability"],"featured_image_urls":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":"","chromenews-featured":"","chromenews-large":"","chromenews-medium":""},"author_info":{"display_name":"Cyber Scoop","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/cyberscoop\/"},"category_info":"<a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cybersecurity\/\" rel=\"category tag\">Cybersecurity<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/open-source\/\" rel=\"category tag\">open source<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/supply-chain\/\" rel=\"category tag\">supply chain<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/threats\/\" rel=\"category tag\">Threats<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/vulnerability\/\" rel=\"category tag\">vulnerability<\/a>","tag_info":"vulnerability","comment_count":"0","jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/5729","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=5729"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/5729\/revisions"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=5729"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=5729"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=5729"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":5729,"date":"2024-10-10T16:42:10","date_gmt":"2024-10-10T21:42:10","guid":{"rendered":"https:\/\/cyberscoop.com\/?p=82093"},"modified":"2024-10-10T16:42:10","modified_gmt":"2024-10-10T21:42:10","slug":"malicious-packages-in-open-source-repositories-are-surging","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2024\/10\/10\/malicious-packages-in-open-source-repositories-are-surging\/","title":{"rendered":"Malicious packages in open-source repositories are surging"},"content":{"rendered":"