ReversingLabs Second Annual Report Reveals a 1300% Increase in Malicious Packages on Major Open-Source Software Platforms Since 2020
Cambridge, MA—January 16, 2024—ReversingLabs, the trusted authority in software and file security, today released its 2024 State of Software Supply Chain Security Report, highlighting the impact of key trends in 2023 and those expected to evolve in 2024. The report calls out visibility gaps in the software supply chain; an increase of malware on open source package managers; and continuing problems with leaks of developer secrets, all of which increase risk and exposures in the software supply chain for any organization developing and deploying software.
The report insights are gleaned from the ReversingLabs Software Supply Chain Security platform and its industry-leading threat repository, containing over 40 billion malware and goodware files. In all, ReversingLabs identified close to 11,200 unique malicious packages across three major open-source software platforms in 2023: npm, PyPI, and RubyGems. That marks an astounding 1,300% increase in malicious packages from 2020, and an increase of 28% over 2022, when a little more than 8,700 malicious packages were detected.
“Over the years, we’ve closely monitored the increase of software supply chain exposures and attacks. This new report reflects the proliferation of malware across open-source and commercial platforms,” said Mario Vuksan, Co-founder and CEO of ReversingLabs. “Businesses relying only on legacy application security will continue to be victimized. In fact, we expect to see continued material risk to the software development pipeline, with that risk and escalation processes becoming a critical focus for regulators.””
Additional data from the report shows:
- A 400% annual increase in threats on the PyPI platform, with more than 7,000 instances of malicious PyPI packages discovered in the first three quarters of 2023. The vast majority of these were classified as “infostealers.”
- More than 40,000 instances of leaked or exposed development secrets across the major package managers (npm, PyPI and RubyGems)
- A drop in the number of malicious packages hosted on the npm repository. Instances of malicious npm packages in the first three quarters of 2023 decreased by 43% compared with malicious npm packages identified in all of 2022.
Lower-skilled Cyber Criminals Join Sophisticated Nation-State Actors
The last 12 months have also seen software supply chain attacks shed complexity and boost accessibility. Data compiled by ReversingLabs shows that the barrier to entry for supply chain attacks has lowered steadily in the last year, and everything indicates that it will continue to do so in 2024. No longer just the domain of nation-state actors, software supply chain attacks are increasingly being perpetrated by low-skill cyber criminals, evidenced by the use of open source packages to support commodity phishing campaigns that deliver turnkey, automated attacks used to facilitate the theft of victim data. Threat actors have recognized how to abuse weak links in the software supply chain to support both targeted and indiscriminate campaigns.
Exposed Secrets Remain a Top Challenge
The exposure of digital authentication credentials ('secrets') such as login credentials, API tokens, and encryption keys, is a significant target for malicious actors and was a major challenge in 2023. Through regular scans of platforms including npm, PyPI, RubyGems, and NuGet, ReversingLabs found that secret leaks continue to plague popular applications and hosting platforms such as Slack, AWS, Google, Microsoft’s GitHub repository, and Azure cloud. Key details include:
- Npm accounted for 77%, or 31,000, of the more than 40,000 secrets detected across these four open-source platforms. Of the secrets detected on npm, 56% were used to access Google services, compared to 9% attributed to Amazon’s AWS cloud services.
- The research identified a similar pattern on PyPI, which accounted for 18% of the leaked secrets observed in 2023. In these instances, tokens used to access Google services accounted for just over 24% of the secrets detected. Secrets related to Amazon Web Services (AWS) accounted for around 14% of the total discovered on PyPI.
A Post-Trust Software Supply Chain
The shifting terrain of software supply chain risk that characterized 2023 will continue to alter the cybersecurity landscape in 2024, ReversingLabs research indicates. Threats and attacks targeting open source and commercial, third-party code will continue to grow, even as the methods and preferences of malicious supply chain actors evolve. Both cybercriminal and nation-state hackers can be expected to gravitate to platforms and techniques that are the most likely to succeed. And in the wake of high-profile attacks, software producers and end user organizations should expect to see a continued high bar of disclosure requirements as well as more pointed guidance from the federal government, including the use of Software Bills of Materials (SBOMs) when securing the software supply chain.
“Lacking sufficient visibility, software producers and their customers are failing to spot signs of code tampering and abuse within development pipelines or threats hiding in compiled software artifacts. In 2024, we expect software supply chain attacks to escalate if organizations don’t address the threat,” added Vuksan. “Businesses must shift from blind trust of the integrity of software to proven tools and processes that can verify software and ensure it is free of material risks. This includes the ability to scan raw code and compiled binaries in any software they build or buy for behaviors and unexplained changes that may indicate instances of malware and tampering.”
To learn more about current and emerging trends in software supply chain risk, read the complete 2024 State of Software Supply Chain Security report, prepared using insights from ReversingLabs’ award-winning Software Supply Chain Security platform.
For additional insights, attend ReversingLabs The State of Software Supply Chain Security 2024 Webinar on January 31 at 12pm ET. The Webinar will feature Derek Fisher, Author and Executive Director of Product Security at JP Morgan Chase and Matt Rose, Field CISO at ReversingLabs who will share key takeaways to help organizations prepare their software supply chain security programs for the coming year and beyond. To register for the Webinar, click here.
Additional Reading
- The State of Software Supply Chain Security infographic {LINK}
- Read the Gartner Report “Mitigate Enterprise Software Supply Chain Security Risks”
- To learn more about ReversingLabs Software Supply Chain Security Solution, click here.
- To learn more about ReversingLabs Complex Binary Analysis, click here.
About ReversingLabs
ReversingLabs is the trusted authority in software and file security. We provide the modern cybersecurity platform to verify and deliver safe binaries. Trusted by the Fortune 500 and leading cybersecurity vendors, the ReversingLabs Titanium Platform® powers software supply chain and file security insights, tracking over 35 billion files daily with the ability to deconstruct full software binaries in seconds to minutes. Only ReversingLabs provides that final exam to determine whether a single file or full software binary presents a risk to your organization and your customers.