Discover the concerning trend of software supply chain attacks that continue to surge, even two years after the SolarWinds hack. Malicious exploits leveraging open source modules are multiplying in the commercial sector, with a significant rise in attacks since 2020 and a steady increase in 2022. Notably, npm, a popular open source repository, witnessed a staggering 100 times increase in malicious package uploads compared to 2020, while PyPi also suffered from tainted modules targeting cryptocurrency mining and malware distribution.
These attacks have led to major embarrassment for high-profile organizations like Samsung and Toyota, as their secrets were exposed through internal or third-party maintained open source repositories. In response, there has been a heightened focus on software supply chain security, with the Biden Administration issuing executive orders and federal guidance to strengthen security practices.
The upcoming year will bring stricter requirements for software publishers with federal contracts, necessitating improved software security and the production of software bill of materials (SBOMs) to combat supply chain threats. However, the threat of supply chain attacks extends beyond government suppliers, requiring all software development organizations to adopt similar measures.
To counter these threats, this report offers valuable recommendations, including heightened scrutiny of open source risks and enhanced coordination between development teams and security operations centers (SOCs). By implementing these measures, organizations can stay ahead of supply chain compromises and protect their software ecosystem effectively.
